HIPAA Notice

1. Our Commitment to Privacy & Security

Unity Population Health ("Unity") is committed to protecting the confidentiality, integrity, and availability of protected health information (PHI) entrusted to us. This Notice describes how Unity handles PHI in its role as a HIPAA Business Associate. It is intended to inform our customers and their patients; it is not a substitute for a covered entity's own Notice of Privacy Practices.

2. Unity's Role as a Business Associate

Unity is a "Business Associate" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and its implementing regulations (collectively, "HIPAA"). When Unity creates, receives, maintains, or transmits PHI on behalf of a covered entity (such as a healthcare provider) or another business associate, it does so under a written Business Associate Agreement (BAA) that governs Unity's permitted uses and disclosures.

3. How We Safeguard PHI

Unity maintains administrative, physical, and technical safeguards required by the HIPAA Security Rule, including:

• Encryption of PHI in transit and at rest.
• Role-based access controls and the principle of least privilege.
• Audit logging and continuous monitoring of access to PHI.
• Workforce training, background screening, and confidentiality obligations.
• A documented risk-management and incident-response program.
• Controls aligned with the SOC 2 framework and support for FHIR R4 and HL7 interoperability standards.

4. Permitted Uses & Disclosures

Unity uses and discloses PHI only as permitted by the applicable BAA and HIPAA — principally to perform the services requested by the covered entity, for the proper management and administration of Unity, and as required by law. Unity does not use or disclose PHI for marketing, and does not sell PHI.

5. Subcontractors

Where Unity engages subcontractors that create, receive, maintain, or transmit PHI on Unity's behalf, Unity requires those subcontractors to agree in writing to restrictions and conditions at least as protective as those that apply to Unity under its BAA.

6. Breach Notification

In the event of a breach of unsecured PHI, Unity will notify the affected covered entity without unreasonable delay and consistent with the timeframes and requirements of the HIPAA Breach Notification Rule and the applicable BAA, so that the covered entity can fulfill its notification obligations.

7. Individual Rights

HIPAA affords individuals rights regarding their PHI, including the rights to access, amend, and obtain an accounting of certain disclosures. Because Unity acts on behalf of covered entities, individuals should direct requests to exercise these rights to their healthcare provider (the covered entity). Unity will reasonably support covered entities in fulfilling such requests as required by the BAA.

8. Compliance

Unity maintains policies and procedures designed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and reviews them periodically to reflect changes in law, technology, and our practices.

9. Contact — Privacy & Security Office

To ask a question about this Notice or report a concern, contact Unity's Privacy & Security Office at contact@unityhealth.ai or 614-787-7550, Unity Population Health, Dublin, OH.