Data Processing Agreement

HIPAA Business Associate Agreement

Annex F

Last updated: March 31, 2026

This Annex F applies only to the extent that: (1) Customer is a Covered Entity or Business Associate; and (2) Customer Data includes Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) Processed through the Services. When this Annex F applies, it forms part of the DPA and governs the parties' use and disclosure of PHI in connection with the Services.

F-1. Definitions

The following terms have the meanings given to them by HIPAA (45 CFR Parts 160 and 164): Business Associate, Covered Entity, Breach, HIPAA Rules, Individual, Protected Health Information (PHI), Electronic Protected Health Information (ePHI), Privacy Rule, Security Rule, and Unsecured PHI. Capitalized terms not defined herein have the meanings given in the DPA or the Agreement.

F-2. Roles

When this Annex applies: Customer is the Covered Entity or Business Associate disclosing PHI to Atribu; and Atribu acts as the Business Associate, or subcontractor business associate where applicable, solely for the limited services covered by the Agreement.

F-3. Permitted uses and disclosures of PHI

Atribu may use and disclose PHI only:

  • To perform the Services for Customer;
  • For proper management and administration of Atribu, if permitted by HIPAA and this Annex;
  • To carry out Atribu's legal responsibilities;
  • As required by law; and
  • For Data Aggregation and other uses expressly permitted under HIPAA and the agreed scope.

This section is drafted narrowly and does not imply unlimited downstream ad-tech sharing.

F-4. Prohibited uses and disclosures

Atribu will not:

  • Use or disclose PHI except as permitted by this Annex, the Agreement, or applicable law;
  • Sell PHI;
  • Disclose PHI to third-party ad platforms where such disclosure is not permitted by HIPAA and the parties' agreements;
  • Use PHI for independent marketing purposes outside the scope of services;
  • De-identify and reuse PHI beyond the scope permitted by contract and law unless explicitly authorized.

F-5. Safeguards

Atribu will:

  • Implement administrative, physical, and technical safeguards to protect PHI;
  • Comply with applicable Security Rule requirements for ePHI;
  • Maintain access controls, logging, encryption, and workforce restrictions appropriate to the services and risks; and
  • Apply enhanced controls for Healthcare Mode workspaces, including field-level scrubbing, export allowlists, and audit logging.

F-6. Reporting

Atribu will report to Customer:

  • Any use or disclosure of PHI not permitted by this Annex;
  • Any Security Incident involving ePHI, as required by the Security Rule; and
  • Any Breach of Unsecured PHI,

without unreasonable delay and in accordance with the timing/process defined in this Annex or the Agreement.

F-7. Subcontractors

Atribu will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Atribu agrees in writing to substantially the same restrictions, conditions, and requirements that apply to Atribu under this Annex. Only Subprocessors identified as PHI-permitted in Annex C may handle PHI.

F-8. Access by individuals

To the extent applicable and relevant to the Services, Atribu will provide reasonable assistance to Customer in responding to requests for access to PHI in a Designated Record Set. This obligation is limited to data actually maintained within the Services.

F-9. Amendment of PHI

To the extent applicable and relevant to the Services, Atribu will assist Customer in making amendments to PHI in a Designated Record Set as directed by Customer.

F-10. Accounting of disclosures

To the extent required by HIPAA and relevant to the Services, Atribu will document disclosures and provide information reasonably needed by Customer to respond to an accounting request.

F-11. Internal practices and HHS access

Atribu will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required for determining compliance with HIPAA.

F-12. Return or destruction of PHI

Upon termination of the Agreement or this Annex, Atribu will return or destroy PHI, if feasible, and retain no copies except as required by law or infeasible backup/archival systems, in which case continued protections apply.

F-13. Term and termination

Customer may terminate this Annex and/or the affected Services if Atribu has materially breached this Annex and cure is not possible or not timely completed.

F-14. Product-specific PHI restrictions for Atribu

  • Atribu may restrict, transform, suppress, or block forwarding of PHI or PHI-adjacent fields/events to third-party destinations.
  • Customer is responsible for configuring its websites, forms, and destination settings lawfully.
  • Healthcare Mode may impose allowlists, event suppression, field stripping, shortened retention, and destination-specific controls.
  • Nothing in the Agreement or this Annex requires Atribu to forward PHI to Meta or any other advertising platform.

F-15. Order of precedence

For PHI-related matters, this Annex F controls over conflicting terms in the Agreement or the DPA.