Privacy Notice

UBC is a global contract research organization (“CRO”) and technology provider in the healthcare, and clinical research, industry that provides business-to-business Services to pharmaceutical companies and related organizations (“Clients”). As part of these Services, UBC may collect, use, and disclose (“Process”) Personal Information about you in various ways, including:
(1) When you interact with our Site, request information, or for authorized marketing purposes;
(2) When you interact with us, directly, as part of a Client’s program; or
(3) When a Client has hired us to provide our Services, on their behalf, and provide us your Personal Information.

The term “Personal Information” refers to many types of information that can identify, relate to, or describe a person and can link the information directly, or indirectly, to a person or household. This includes “protected health information” (“PHI”) as defined under the United States Health Insurance Portability and Accountability Act of 1996, (“HIPAA”), “Personal Data,” as defined under the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and the United Kingdom (“UK”) Data Protection Act 2018, and “Personal Information,” as defined under the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et. seq., as amended (“CCPA”), and the California Privacy Rights Act (“CPRA”), collectively “Data Protection Laws.”

Please note that UBC operates globally, and this is not an exhaustive list of all applicable Data Protection Laws. UBC strives to ensure its practices, and this Privacy Notice meets requirements worldwide, but you may always contact us, as outlined under Section 18 below for additional information if it’s not available in this Privacy Notice.

Additionally, UBC may Process “Usage Data” about you in various ways for its business activities. ‘Usage Data’ are information about an individual’s activity (on or through the Services) that, by itself, does not identify an individual, such as a web-browser type, operating system, and webpages visited. Usage Data are not considered Personal Information, unless it can (with other information) identify an individual, as outlined under certain Data Protection Laws. In those limited scenarios, Usage Data may be considered Personal Information.

As outlined under Section 1 above, there are various ways we will Process Personal Information about individuals. For each use case, there may be different types of Personal Information required to perform our Services or fulfill your requests. In general, this includes the following types of individuals, purposes, and legal basis for why we Process your Personal Information:

A. Patients and Clinical Trial Participants

Purpose and Legal Basis.
For Patients and Clinical Trial Participants, Personal Information will be Processed (e.g., collected, stored, retrieved consulted, disclosed or shared, erased or destroyed), as instructed by our Clients, as the data controllers, to provide our Services, as listed under a contract, and in all cases consistent with applicable law. Our Processing activities are based on the relevant contract terms, your informed consent obtained by the relevant Client, healthcare provider, or UBC, to participate in a study or program, UBC’s legitimate business interests in performing our Services, and where relevant, as necessary for archiving in the public interest and scientific, research, or statistical purposes.

Please note that in many instances, unless otherwise agreed to in a contract between a Client and UBC, healthcare professionals will be responsible for obtaining your informed consent for a particular study or program.

Types of Personal Information.
Patients. If you are a patient enrolled in a program that UBC is supporting, such as Patient Access Solutions, UBC may Process the following Personal Information about you:
• Your full name and contact information (such as phone or mobile phone number, email address, and physical address);*
• Demographic information, such as date of birth or gender;
• Racial or ethnicity origins;
• Health information, including physical or psychological state of health, disease state, medical history, medical treatment or diagnosis, healthcare provider information, and health insurance identification or account information;
• Voice recordings for quality assurance or safety calls; and
• Other data, as may be specified in an informed consent provided by your healthcare provider or prescriber.

*Please note that UBC may utilize “tokenization” technology to assist in ensuring your identity, or identifying information, is separated from sensitive health data. For more information, please review Section 16 (Security) of this Privacy Notice.

Clinical Trial Participants. If you are participating in a clinical study where UBC is providing support Services on a Client’s behalf (i.e., sponsor), UBC may Process the following Personal Information about you:
• An assigned identifier (e.g., Subject ID);
• Demographic information, such as date of birth (or age/year of birth) and gender;
• Racial or ethnicity origins;
• Health information related to the particular study, including physical or psychological state of health, disease state, medical history, medical treatment or diagnosis, healthcare provider information; and
• Other information, as may be specified in an informed consent provided by a study sponsor or UBC (as directed by a sponsor).

B. Healthcare Professionals (“HCPs”)

Purpose and Legal Basis.
As part of our Services, UBC may interact with HCPs located at clinical trial sites, doctor’s offices, and hospitals, as may be required to perform our Services. Additionally, employees at these facilities may use UBC platforms, or other technologies, where your Personal Information, and other employees’ Personal Information, may be stored. This Personal Information will be Processed, as instructed by our Clients, as the data controllers, to provide our Services based on consent obtained by the relevant HCPs, or Client, and UBC’s legitimate business interests in performing our Services.

Types of Personal Information. The following Personal Information may be Processed by UBC in support of the relevant Services:
• Your full name and business contact information (such as phone number, email address, and physical address);
• Job title and other information about your employment, where required;
• Log-in data: An individual’s username, email address, password, password reset questions, access code, security questions and answers;
• Usage Data (Possibly): IP address, cookies, log data, and other Internet activity; and
• Identity Confirmation (Possibly): Handwritten and digital signature, and where necessary, other required information to verify identity.

If you are a healthcare professional, or an institutional healthcare provider, in some cases you may be responsible for obtaining any legally required authorization, consent, or other permission from your patients before providing their Personal Information to UBC in support of our Services. By submitting any Personal Information about a patient, you represent and warrant to UBC that you have obtained all required permissions, where legally required to do so.

C. Client Employees
Purpose and Legal Basis.
As part of our Services, UBC will interact with Clients’ employees who have hired UBC to perform the relevant Services. Additionally, Clients’ employees may use UBC platforms, or other technologies, where your Personal Information, and other employees’ Personal Information, may be stored. This Personal Information will be Processed, as instructed by our Clients, as the data controllers (or joint controllers), to provide our Services based on the relevant contractual agreement and UBC’s legitimate business interests in performing our Services.

Types of Personal Information.
The following Personal Information may be Processed by UBC in support of the relevant Services:
• Your full name and business contact information (such as phone number, email address, and physical address);
• Job title and other information about your employment, where required;
• Log-in data: An individual’s username, email address, password, password reset questions, access code, security questions and answers;
• Usage Data (Possibly): IP address, cookies, log data, and other Internet activity; and
• Identity Confirmation (Possibly): Handwritten and digital signature, and where necessary, other required information to verify identity.

D. Third-Party Suppliers

Purposes and Legal Basis.
As part of our Services, UBC may interact with Third-Party Suppliers’ employees who have been hired by UBC to support Services on UBC’s behalf. Additionally, Third-Party Suppliers’ employees may use UBC platforms, or other technologies, where your Personal Information, and other employees’ Personal Information, may be stored. This Personal Information will be Processed, as instructed by our Clients, as the data controllers (or joint controllers), to provide our Services based on the relevant contractual agreement and UBC’s legitimate business interests in performing our Services.

Types of Personal Information.
The following Personal Information may be Processed by UBC in support of the relevant Services:
• Your full name and business contact information (such as phone number, email address, and physical address);
• Job title and other information about your employment, where required;
• Log-in data: An individual’s username, email address, password, password reset questions, access code, security questions and answers;
• Usage Data (Possibly): IP address, cookies, log data, and other Internet activity; and
• Identity Confirmation (Possibly): Handwritten and digital signature, and where necessary, other required information to verify identity.

E. Website User/Prospects

Purposes and Legal Basis.
As a website user, or someone who is seeking information from us about our Services, we may collect your Personal Information that are collected directly through our Site. Your Personal Information will be Processed as part of the use of our Site and for reach-outs we may do to assist you with questions related to our Services, based on your consent, as agreed to in this Privacy Notice, and for our legitimate interest in providing you information and resources related to our Services.

You have the right to opt-out of our direct marketing at any time. You can do this by; (i) following the instructions in the communication where this is an electronic message; or (ii) contacting us using the methods noted below under Section 8 below, “Your Rights.”

Types of Personal Information.
The following Personal Information may be Processed by UBC in support of the relevant Services:
• (Possibly) Name (first and last);
• (Where relevant) Log-in data (e.g., username, email address, password, password reset questions);
• (Possibly) Business communication data (e.g., telephone, fax, mobile phone, e-mail); and
• (Possibly) connection data (e.g., logs, IP address, and cookies).

As part of our Services and operations, UBC may share your Personal Information with other third-parties, including Clients, healthcare providers, and third-party suppliers, as agreed and instructed under a contract, or as provided within the appropriate informed consent.  This includes the following parties:

• Clients (and their service providers). As standard, UBC has contracts with its Clients to provide Services in assisting with their healthcare programs or clinical trials. Therefore, we will share the necessary Personal Information, as agreed to under the service agreement, to perform the relevant Services.
• Healthcare Providers/Sites. UBC may also share information you provide us with your healthcare provider, or clinicians, when you have enrolled in a program that requires us to share your information.
• UBC Affiliates and Subsidiaries. We will share your Personal Information with other UBC group companies (such as UBC Late Stage (UK) Limited – for more details about UBC group companies visit: http://www.ubc.com/contact/locations), as necessary to provide the Services you have requested or to fulfill any of the other purposes set out above.
• Third-Party Suppliers: We may also share your Personal Information with our third-party suppliers, who may perform functions for UBC, such as processing and analyzing data, designing and maintaining systems, customer service, marketing (e.g., HubSpot and Salesforce) and promotions, and any other relevant Services contracted between a third-party supplier and UBC. These third parties include, but are not limited to: UBC customers, research consultants, information technology service providers (including customer relationship management suppliers), and email providers.
• Law Enforcement or Regulatory Authorities: In certain circumstances, we may be legally obligated to share your Personal Information with government authorities, regulatory authorities (e.g., FDA) or law enforcement officials for the purposes (i.e., Services) outlined above, if mandated by law (for example, in response to a court order, subpoena, search warrant, law, or regulation) or if required for the legal protection of our legitimate interests in compliance with relevant laws. For disclosures under HIPAA, please review Section 14 and 15 below.

As part of UBC’s Services and operations, it may be necessary to transfer your Personal Information outside of your region or country of residence. For example, UBC utilizes Microsoft Azure to host its SharePoint Online environments, and UBC utilizes data centers located within the United States. Therefore, your data may be stored in a secure data center located in the United States. Additionally, UBC employees, and our Clients’ employees, may access your data remotely from other regions required to perform the Services.

Some jurisdictions (such as EU/UK) may require specific conditions to ensure your Personal Information is secure when transferred internationally to a region that has not been considered “adequate” by the relevant data protection authority. Where a transfer occurs, UBC will ensure the protections required under relevant Data Protection Laws are performed in alignment with relevant Client contractual obligations and as otherwise necessary to comply with the relevant Data Protection Laws. For the specific security measures used to support requirements for the European Economic Area (“EEA”), UK, and Switzerland, please see Section 16 below.

It’s important to note that specific data transfers, and disclosures, will often depend on the relevant program, project, or study that you are involved with.  If you would like to receive additional information about relevant data transfers, you may contact us at  privacy@ubc.com or request information as described under Section 8 (Your Rights) below.

If you have questions about the specific security measures used to protect data transfers, or how UBC complies with country-specific requirements, please contact us at privacy@ubc.com, or as specified under Section 18 (Contact Us).

UBC stores Personal Information as instructed by our Clients and as required by relevant laws and regulations, including as follows:

• Our Services. Except where restricted by law and subject to this Privacy Notice, we will retain, and use, your Personal Information for as long as it is needed to perform or provide you (or our Clients) with the relevant Services and for any required retention period, as contracted under a relevant service agreement.
• Business Relationships. We will also keep your Personal Information to document our business relationship with you, and as necessary to comply with our legal obligations, resolve disputes, and enforce our service agreements.
• When we use your Personal Information for marketing purposes, as provided with your consent (where required), we use this information until you make us aware by unsubscribing to future contact. We also keep a record of the fact that you have asked us not to send you direct marketing or to use your Personal Information so that we can respect your request in the future.
• Legal Requirements. When we use Personal Information to meet relevant legal requirements, we hold this information for as long as the relevant law requires it (for example, we may hold records to help prevent fraud and other restricted or illegal activities).

When we store your Personal Information, UBC uses data collection, storage, data minimization practices, and security measures to protect your Personal Information against unauthorized access, alteration, disclosure, or destruction.

Our Site may contain links to other websites, services, and applications that are not owned or controlled by us (“Linked Sites”). We provide these Linked Sites’ hyperlinks to allow you to conveniently access information that may be of interest to you. This Privacy Notice does not apply to Linked Sites. If you decide to visit any Linked Site, you will be subject to the privacy notice, terms of use, or other policies (if any) of the relevant Linked Site(s). We strongly recommend that you review the privacy policy, statements, or any other legal notices posted on any Linked Site(s).

We do not knowingly collect Personal Information from children under the age of thirteen (13) through our Site. If you believe UBC may have any information from (or about) a child under the age of thirteen (13), please contact our Data Privacy office at: privacy@ubc.com.

Additional Personal Information will be collected from children as it relates to a specific program or study in accordance with the informed consent provided to a children’s parent, guardian, or caregiver.

UBC complies with relevant Data Protection Laws and offers you choices concerning the Personal Information you (or Clients) share with us. Where UBC is Processing Personal Information on its Clients’ behalf, certain requests may need to be fulfilled by (or in conjunction with) UBC’s Clients (i.e., the data controllers).

Additionally, certain rights may be relevant to the region where you reside. For example, if you reside in the European Union, or within certain States in the United States, your rights may differ. In all such cases, UBC will strive to fulfill all legitimate requests, including the following (where relevant and applicable):

To exercise any of your rights, you can:

• Complete a “Data Subject Access Request” Form available here: https://forms.office.com/r/mcZjAun0Rh;
• Submit a detailed request to privacy@ubc.com;  
• Call UBC’s toll-free phone number at: +1-866-244-9625 (US) or + 44 208 834 9595 (UK); or

Additionally, requests can also come from online communication channels, from a complaint email, or as one of a few issues raised in a single communication. UBC will use all reasonable efforts to respond to these requests, but it is advisable to contact us directly as outlined in this Privacy Notice.

Where UBC uses AI, we will do so in alignment with our AI policy and defined AI Governance Framework and relevant laws and regulations, including, but not limited to: the U.S. Executive Order (E.O.) 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence; the European AI Act; and U.S state laws, such as the Colorado AI Act (all collectively “AI Legislation”).

As part of UBC’s AI Governance Framework and AI policy, we are committed to ensuring transparency and compliance with the evolving legal requirements. This includes ensuring our AI use is safe, and effective, and that there is human governance and supervision. Additionally, where AI is used to make decisions about your access to health-related decisions, or other uses that may be considered high-risk, UBC, and our Clients, will ensure you are made aware of any AI use, as required under relevant AI Legislation.

If you live in the EEA, or other countries outside of the United States (e.g., UK and Switzerland), you may have additional rights given to you under the GDPR or other relevant Data Protection Laws.  The following applies:

Data Transfers

In addition to the information outlined under Section 4, above, if you live in the EEA, we may transfer your Personal Information outside the EEA to countries that do not offer the same level of protection as required by the EEA (e.g., to a UBC group company or other third-party supplier (as outlined above under Section 3) in the United States (“U.S.”).

To protect your Personal Information, we will only perform data transfers based on: (i) an adequacy decision by the EU Commission; (ii) subject to the EU Commission approved standard contractual clauses; or (iii) any other legally, allowable data transfer method.

Registration

UBC maintains office locations within the EU, UK, and Switzerland (as detailed under Section 18), and is registered as a data controller, with the local data protection authority (i.e., the Information Commissioner’s Office (“ICO”), in the UK, as required under the UK GDPR.  

Government Requests

If UBC receives a request from a government authority outside of the EEA, UK, or Switzerland to access your Personal Information, we will use reasonable, and lawful efforts, to ensure your Personal Information are protected and that disclosures meet relevant Data Protection Laws’ standards.

Complaints

If you are in the EEA, or another country that allows the rights mentioned under this Privacy Notice, and you have unresolved concerns, or at any time you do not believe that we have complied with this Privacy Notice, you have the right to file a complaint with your local data protection authority.

If you are a California resident, you may be entitled to additional rights, as defined under the CCPA and the CPRA.

In addition to the rights identified in the other sections of this Privacy Notice, you have the right, subject to certain exceptions under the CCPA, and other relevant laws and regulations, to request that companies disclose certain information to you about their collection, and use, of your Personal Information.

This includes the following:

Exercising Your Rights: If you are a California resident and wish to exercise your rights, please send your request through any of the methods noted above, under Section 8, at: “Your Rights,” including our toll-free number.  

Authorized Agent: The CCPA permits California residents to use an authorized agent to make privacy rights requests. We require the authorized agent to provide us with proof of the California resident’s written permission (for example, a power of attorney) that shows the authorized agent has the authority to submit the relevant request. An authorized agent must follow the process described under Section 8, above, to make a request (i.e., under “Your Rights”).  The authorized agent must also verify his or her own identity. We will confirm the agent’s authority with the relevant California resident related to the request that was made.

Information Exempt from the CCPA: Please note that certain information that is governed under the California Confidentiality of Medical Information Act (“CMIA”), HIPAA, or is subject to the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule,” under good clinical practice guidelines (issued by the International Counsel for Harmonisation) or under human subject protection requirements of the United States Food and Drug Administration (i.e., FDA), is not considered Personal Information with respect to CCPA rights listed above.  However, additional rights might be available under those laws and standards. Please contact privacy@ubc.com for more information.

No Sharing of Personal Information for Direct Marketing Purposes: We do not share Personal Information with other people, or non-affiliated businesses, for their direct marketing purposes.

Non-Discrimination: UBC does not discriminate against any relevant treatment for exercising any of your rights.

Right to Notice of Financial Incentives: California residents have the right to information on how businesses may offer financial incentives, including payments to consumers as compensation, for the collection of Personal Information, the sale of Personal Information, or the deletion of Personal Information. Where relevant, any incentives to collect, or share, your Personal Information will be outlined in an informed consent, project-specific privacy notice, or terms of service associated with the relevant Services offered.

California (and Delaware) “Do-Not-Track” disclosures: Our Site honors your web browser’s “Do-Not-Track” settings concerning targeted advertising.  See the Cookie Policy (Section 13) for additional information.

Nevada Residents: Although UBC does not sell Personal Information, Nevada residents have the right to submit a verified request directing UBC not to sell their Personal Information.  If you are a Nevada resident and would like to submit such a request, please send your request through any of the methods noted above, under Section 8, “ Your Rights.”

This State-specific policy describes our practices for handling Consumer Health Data (as defined under Washington’s My Health My Data Act (“MHMDA”) and other similar state laws) that we may collect about you through our operations, and services, and will prevail over any conflicting provisions in this Privacy Notice regarding Consumer Health Data.

Consumer Health Data includes information that are linked, or reasonably linkable, to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. This includes information about medical conditions, as well as non-medical information, such as biometric data, information about use of non-prescription medication, or use of health-related products. However, this does not include public, or peer-reviewed scientific, historical, or statistical research in the public interest that is overseen by an institutional review board (“IRB”), human-subjects research ethics review board, other similar independent oversight agency, or PHI as covered under HIPAA.

A. Categories of Consumer Health Data

In general, UBC Processes Personal Information for research purposes or Personal Information that may be considered PHI and regulated under HIPAA. In these instances, MHMDA may not apply. However, to the extent that UBC is collecting Consumer Health Data on individuals, such as patients, the following information may be collected:

• Product Interests: Information about your interest in certain health-related programs, such as when you visit websites, we operate on our Clients’ behalf (i.e., sponsors);
• Individual Health Conditions, Treatments, and Diseases: Information about your health history, symptoms, or treatment, such as pregnancy status.
• Bodily Function, Vital Signs and Measurements: Information about your body, such as digestion, metabolism, immune support, or height and weight.
• Reproductive and Sexual Health Information: Information about your reproductive system, or sexual well-being, collected when it is relevant to a particular study or program, such as information about your periods or pregnancy status.
• Genetic Information: Information that concerns your genetic characteristics, which may be relevant to a particular Client program.
• Biometric Data: Information such as genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data;
• Precise Location Information: that could reasonably indicate a resident’s attempt to acquire, or receive, health services or supplies;
• Research Programs: Information you provide when participating in research studies, or responding to our surveys, including any of the above categories about physical or mental health, medical history, or other health-related information

B. Purposes

We may use your Consumer Health Data for the following purposes:

• The Services: Performing our Services for you, on our Client’s behalf, and request information from you to participate in a sponsored program.
• Patient Management: To provide you the associated Services, we may use your Personal Information for the following purposes:

• • Identifying, and authenticating, you to our different programs;
  • Administering, and maintaining, accounts and preferences, if relevant; and
  • Helping you manage our Site, or app, preferences.
• Data Subject Communications: Communications including:
  • Responding to your questions, or requests, for Personal Information;
  • Sending transactional messages (such as account statements or confirmations); and
  • Sending marketing communications about our Services (or our Clients’ products or services), surveys, or invitations.
• Quality and Safety: Ensuring our Services are safe and effective, including:
  • Quality control, training, and analytics;
  • Safety maintenance and verification; and
  • System administration and technology management, including optimizing our Site and applications.
• Security: Detecting threats and protecting against malicious or fraudulent activity.
• Recordkeeping and Auditing:  Recordkeeping and auditing, interactions with users, including logs, and records maintained as part of transaction information.
• Legal/Compliance: Risk management, audit, investigations, reporting, and other legal and compliance reasons.

C. Sources of Consumer Health Data

We collect Consumer Health Data from the following sources:

• From you, such as when you join a Client program or volunteer the Personal Information in connection with potential of participating in a program;
• From our Clients, who provide us your Personal Information to provide you with benefits, such as patient access and affordability solutions;
• From other third-party sources, such as data brokers who provide us with consumer information that may benefit from a sponsor-related program; and
• We may also gather, or obtain, Consumer Health Data by analyzing other non-health related information we have about you or other consumers.

D. Disclosures

As outlined above under Section 3 above, UBC may share Consumer Health Data with other third-parties as necessary, this includes UBC affiliates, including:

• United BioSource, LLC (Delaware);
• United BioSource Patient Solutions, Inc. (Delaware);
• UBC Late Stage, Inc. (Missouri);
• UBC Pharmacy, LLC (Delaware);
• United BioSource Corporation, S.L. (Spain);
• United BioSource (Italy) S.R.L.;
• UBC Late Stage (UK) Ltd. (UK);
• United BioSource GmbH (Germany);
• United BioSource (Suisse) SA (Switzerland);
• United BioSource (HCA Canada) Company (Quebec);
• UBC Late Stage (UK) Limited French Branch;
• Examoto, LLC (Pennsylvania); and
• Market Share Movers, LLC (Pennsylvania).

E. Complaints

If you have any issues, or questions, we encourage you to reach out to us at privacy@ubc.com, or as specified under Section 18 (Contact Us). However, if you have any unresolved questions, or concerns, you are entitled to file a complaint with the Washington State Attorney General, at: www.atg.wa.gov/file-complaint.

We use “Cookies” and similar tracking technologies to track the activity on our Site (and relevant Services) and store certain information. Tracking technologies used are beacons, tags, and scripts to collect, and track, information and to improve, and analyze, our Site, applications, and relevant Services.

“Cookies:” are small files that are placed on your computer, mobile devices, or any other device by a website, containing the details of your web-browsing history (on that website) among its many uses. Our Site is then able to recognize repeat users, and track usage patterns, to better serve visitors when they return to our Site. The Cookie does not extract Personal Information, and most web browsers provide a simple procedure that enables users to control whether they want to receive Cookies or notifies them when a website is about to deposit a Cookie file. You can instruct your web browser to refuse all Cookies or to indicate when a Cookie is being sent.  However, if you do not accept Cookies, you may not be able to use some portions of our Site or relevant Services.

Cookies can be “persistent” or “session” Cookies. Persistent Cookies remain on your personal computer, or mobile device, when you go offline. Session Cookies are used to personalize your user experience, to determine ways to improve our Site, used for Site content, and the Services we offer. These Cookies are deleted when you close your web browser session. Persistent cookies are used to collect information, such as IP addresses, browser type, Internet Service Provider (“ISP”), referring/exit pages, platform type, date/time stamp, and the number of clicks.

Adjusting Your Preferences: When you first visit our Site, you can set preferences for which Cookies you would like to enable. If you would like to modify these settings, you may do so at any time by using the following link: Cookie Preference Center.

Alternatively, most web browsers allow some control over most Cookies through the web- browser settings. To find out more about Cookies, including how to see what Cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

UBC.Com does respond to Do-Not-Track signals. To find out more about “Do-Not-Track,” please visit: http://www.allaboutdnt.com.

We use the following general Cookies categories, which are provided in the Cookie Notice, generated by Cookiebot:

• Category 1: Necessary Cookies: Necessary Cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of a website. A website cannot function properly without these Cookies. Without these Cookies, relevant Services you have asked for, such as remembering your login details, or submitted information, cannot be provided;
• Category 2: Preference Cookies: Preference Cookies enable a website to remember information that changes the way the website behaves or looks, such as your preferred language or the region that you are in. These can then be used to provide you with an experience more appropriate to your selections and to make your Site visits more tailored and pleasant. The information these Cookies collect may be anonymized and they cannot track your web browsing activity on other websites;
• Category 3: Statistic Cookies: Statistic Cookies help website owners to understand how visitors interact with websites by collecting, and reporting, information anonymously. For example, we use Google Analytics Cookies to help us understand how individuals arrive at our Site, browse, or use, our Site, and highlight areas where we can improve our Site, such as navigation and marketing campaigns. The information stored by these Cookies never shows your personal details from which your identity can be established;
• Category 4: Marketing Cookies: These Cookies collect information about your browsing habits to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an ad, as well as help measure the effectiveness of an advertising campaign. These Cookies are usually placed by third-party advertising networks. They remember the sites you visit, and information is shared with other parties, such as advertisers. Additionally, these Cookies allow you to share what you’ve been doing on our Site, on social media, such as LinkedIn. These Cookies are not within our control; and therefore, are subject to a third-party’s rules and policies. Social media companies may have their own privacy policies, which we strongly suggest you review if you use those websites or relevant apps. For additional information about these social media sites and the data they may collect, please review their privacy policies; and
• Category 5: Unclassified Cookies: Unclassified Cookies are Cookies that we are in the process of classifying, together with the providers of individual Cookies.

Additional Information about Necessary Cookies: Some of the Cookies, and tracking technologies, that we use on our Site are strictly necessary and they are there to technically enable our Site, and its components, as well as to enable relevant security measures. Necessary Cookies are activated without a user’s consent because these are necessary for the Site to work properly and in a secure way.  All other Cookies and tracking technologies, not classified as necessary, are subject to your consent when visiting our Site. 

Be aware that even if you accept only “necessary cookies,” you still may see third-party trackers that are enabled for our relevant Services we use on our Site.  Third-party trackers are enabled because these third-party services may also have Cookies, or trackers, they have classified as necessary to perform the relevant Services we requested. 

Another reason for seeing third-party trackers on your web browser is that you have already used, or accessed, a third-party service before visiting our Site. For example, if you landed on our Site using a search engine, such as “Google Search,” it is likely that Google’s search engine may have enabled trackers on your web browser (e.g., related to your preferences regarding Google’s own tracking technologies). You can read more details about how Google may use your Personal Information in this context by visiting Google’s Privacy Terms.  Additionally, Necessary Cookies by third parties, such as LinkedIn and Ceros, may be stored to capture a user’s cookie consent for our current Site domain.

Analytics: In addition to the above Cookies, we use certain third-party services on our Site to organize, monitor, and analyze log data. Third-party services include the following:

Google Analytics: To ensure that our Site content remains up-to-date, user-oriented, and comprehensive, we use Google Analytics, a web-analysis tool from Google, Inc. (“Google”) that enables us to optimize our Services for you. Google Analytics uses Cookies that track your preferences during your visit to our Site. This allows us to simplify navigation, for example, helping us to make our Site more user-friendly. The information that is generated in this process (including your IP address) is unknown/anonymized, i.e., your log data are not identifiable. An evaluation, for our reporting purposes, is carried out after the anonymization process. You can prevent Google’s possession, and use, of this information that is generated by the Cookie and concerns your activity on our Site (including your IP address), by  visiting Google’s Privacy Controls and update your settings.

Further information about Google’s terms of use, and privacy, options are available here:

English: https://policies.google.com/privacy?hl=en 

German: http://www.google.com/analytics/terms/de.html.

To opt-out of being tracked by Google Analytics across all websites, you may download the Google Analytics opt-out browser, here: http://tools.google.com/dlpage/gaoptout.  

HubSpot: We use HubSpot to report on, and manage, your activity on our Site. This service uses Cookies for tracking activity across our Site and to enable us to track marketing preferences. HubSpot enables us, among other things, to manage existing Clients and prospects. With HubSpot’s help, we can capture, sort, and analyze Client interactions via email, social media, or phone, across different channels. The Personal Information collected in this way can be evaluated, and used, for communication with the potential Client or for marketing measures (e.g., newsletter). In addition, HubSpot allows us functionality to allow users to opt-out of further communications.

For additional information, you can view the privacy policy of this service provider at https://legal.hubspot.com/privacy-policy.

More Information: If you have additional questions about Cookies, or how they work, we suggest consulting the “Help” section of your web browser or review the following website: https://www.aboutcookies.org, which offers guidance for all modern web browsers.

UBC provides a range of U.S.-based Services that may involve the Processing of Protected Health Information (“PHI”) as defined under HIPAA. For these Services, UBC complies with specific obligations and requirements outlined in its Clients’ service agreements, as detailed below:

• The Risk Evaluation and Mitigation Strategies (“REMS”):

REMS is a drug safety program that the U.S. Food and Drug Administration (“FDA”) can require for certain medications with serious safety concerns to help ensure the benefits of the medication outweigh its risks. UBC, along with its subsidiary Examoto, LLC, offers Services to support Clients in meeting REMS program requirements. As specified in Client service agreements, UBC does not qualify as a business associate or covered entity and Processes and uses PHI strictly in line with agreed-upon program enrollment forms. The collected PHI is used exclusively in accordance with FDA-regulated program requirements.

• Patient Access Services (“PAS”):

UBC’s PAS Services offers manufacturers assistance with reimbursement and access support, affordability solutions, and care coordination. This includes UBC’s subsidiary Market Share Movers, LLC, which offers additional assistance services and co-pay solutions. As specified in Client service agreements, UBC does not qualify as a business associate or covered entity and Processes and uses PHI strictly in line with agreed-upon program enrollment forms. PHI will be used as specified in those enrollment forms, and as agreed under a service agreement.

• UBC Pharmacy Division:

As outlined in Section 15 below, UBC operates as a Covered Entity (as defined under HIPAA) for its pharmacy-related Services, where PHI is collected to administer health-related Services. If PHI is used or disclosed from the Pharmacy Division to other UBC subsidiaries, these subsidiaries are regarded as business associates (as defined under HIPAA) and handle such transfers according to UBC’s intercompany data transfer agreement, which includes a business associate agreement.

For all Services where UBC is Processing PHI, it ensures the security of its Processing in accordance with Section 16 (Security) below. Additionally, and where relevant, UBC will support any accounting of disclosure requirements under HIPPA as outlined below under Section 15(C), 15 (D), and 15 (E) (In relation to women’s reproductive healthcare).

Under HIPAA, the United BioSource Pharmacy, LLC subsidiary of United BioSource LLC (“Pharmacy Division”), as standard and unless contracted otherwise, is considered a Covered Entity when it collects, discloses, stores, transmits, or uses PHI and electronic PHI (“ePHI”) (together, “PHI”), for administration of health-related Services. For those activities performed by the Pharmacy Division, including PHI collection, use and disclosure, Section 14 serves as the company’s Notice of Privacy Practices.

A. Our Responsibilities

UBC’s Pharmacy Division provides Services to manufacturers in connecting the manufacturers, and specialty pharmacies, with dispensing their drug or therapeutic. For these Services, the UBC Pharmacy Division collects, and uses, PHI from participating doctor’s offices or sites, who are responsible for enrolling patients in the relevant Client program. UBC then facilitates, and discloses, PHI to relevant specialty pharmacies to dispense the drug or therapeutic.  

Where the Pharmacy Division collects, uses, or Processes PHI, it will maintain the privacy, and security, of this information, as further described in this Privacy Notice, this Section related to HIPAA, and Section 16, Security, below. Additionally, we will let you know promptly if a breach occurs that may have compromised the privacy, or security, of your PHI.

B. PHI Uses and Disclosures

The following categories describe different ways in which we may use or disclose your PHI. The examples provided under the categories below are not intended to be comprehensive, but instead, to identify some of the more common PHI uses, and disclosures, within the relevant category.

1. For the purposes of treatment, payment, or healthcare operations.

• UBC contracts with manufacturers who will share PHI with UBC to facilitate the dispensing of drugs, or therapeutics, with specialty pharmacies, in conjunction with your physicians, and other healthcare professionals, for treatment purposes. We in turn disclose PHI to authorized healthcare professionals who need access to your prescriptions, or other relevant PHI, to provide you the relative drug or therapeutic.
• UBC does not receive payments from individuals, or facilitate payments, from health insurers for its Services. All such payments are facilitated by your healthcare provider or the manufacturer.
• Healthcare Operations. We may use, and disclose, your PHI for activities necessary to support our business, such as, but not limited to: performing quality verification or internal audits; and creation of limited data sets and de-identified health information.

2. Other Permitted Uses and Disclosures Without Your Authorization

UBC may also use, or disclose, PHI without your authorization for the following purposes, where relevant to our Services:

• When Required By Law. For example: for judicial and administrative proceedings under a court or administrative order or to report information related to victims of abuse, neglect, or domestic violence, where required by law to do so. Please note that for any treatment related to women’s reproductive health, the disclosure of such information will only be shared, as described under subsection (E) below.
• For Health and Safety Purposes. For example: to avert a serious threat to your health, or safety, or any other person; to an authorized public health authority, or individual, to perform public health and safety activities, such as preventing, or controlling, disease, injury, disability; or to meet the reporting and tracking requirements of governmental agencies, such as the FDA.
• For Law Enforcement, Specialized Government, or Regulatory Functions. For example: intelligence, national security activities, security clearance activities, and protection of public officials; and health oversight agencies for audits, examinations, investigations, inspections, and licensures.
• For Lawsuits, Disputes, and Other Legal Actions. For example: in connection with lawsuits or other legal proceedings, in response to a court or administrative order, or in response to a subpoena, warrant, summons, or other lawful process when certain requirements are met.
• To Business Associates. UBC Pharmacy may share information to other individuals or third parties, called “business associates,” such as UBC affiliates, consultants, subcontractors, or auditors, who help us with our business activities. If we share your PHI with business associates, they are required to maintain your PHI privacy and security.
• For Active Members of the Military and Veterans. For example: to comply with the laws, and regulations, governing military services and veterans’ affairs.
• For Workers’ Compensation. For example: to comply with the laws which provide benefits for work-related illnesses or injuries.
• In Emergency Situations. For example: to a family member, or close, personal friend, involved in your care in the event of an emergency, or to a disaster relief entity in the event of a disaster.
• To Others Involved in Your Care. For example: under limited circumstances, to a member of your family, a relative, a close friend, or other person you identify who is directly involved in your healthcare; bill payment related to your healthcare; or if you are seriously injured and unable to make a healthcare decision for yourself, we may disclose your PHI to a family member if we determine that disclosure is in your best interest. If you do not want this information to be shared, you may request that these disclosures be restricted as outlined later in this Notice.
• To Personal Representatives. For example: to people you have authorized to act on your behalf, or people who have a legal right to act on your behalf, such as parents for un-emancipated minors and individuals who have Power of Attorney for adults.
• For Research Purposes. For example: for research purposes to the extent that certain steps required by law are taken to protect your privacy.
• To Correctional Facilities. If you are an inmate in a correctional facility, for certain purposes, such as protecting your health and safety or that of others.

3. Any Other Uses and Disclosures Require Your Express Authorization

For any other PHI uses, and disclosures, not described in this Privacy Notice, including certain marketing activities or the sale of PHI, we will obtain your written authorization.  You may revoke your authorization, in writing, at any time.  If you revoke your authorization, we will no longer use or disclose your PHI, except to the extent we have acted in reliance on your authorization.

C. Your Rights under HIPAA

In addition to your rights outlined under Section 8, above, of this Privacy Notice, you may have additional rights under HIPAA regarding your PHI use and disclosure.  Please note, that UBC may need to collaborate with its Clients, healthcare professionals, and special pharmacies, to facilitate exercising your rights, which include the following:

D. Making a Request

If you wish to exercise any of your rights under HIPAA (outlined above), you may make your request to, or by another method, as specified under Section 8, Your Rights, above.

Timing. As standard, UBC will fulfil legitimate requests within thirty (30) days from receipt of the relevant request, as outlined under Section 8, Your Rights, above. However, HIPAA allows for up to 60 days, and additional time may be warranted due to the relevant request.

Fees. For HIPAA requests, e.g., accounting of disclosures, these requests will be free of charge within a single twelve (12) month period.  For multiple requests within a twelve (12) month period, UBC reserves the right to charge a reasonable, cost-based fee for each additional request (by the same individual) made within the relevant twelve (12) month period. You will be notified before any charge is applied and can withdraw, or modify, your request.

E. Women’s Reproductive Healthcare

The Final Rule

The HIPAA Privacy Rule, as amended by the Final Rule to Support Reproductive Health Care Privacy (2024), establishes requirements for covered entities, and business associates, on using, or disclosing, an individual’s PHI for the purpose of:

• Investigations: Criminal, civil, or administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating women’s reproductive healthcare;
• Imposing liability: Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare; and
• Identification: Identifying any person for any purpose described above.

Determination

UBC, in alignment with the Final Rule, will not release a female’s PHI unless, by a reasonable determination, it has concluded: (1) women’s reproductive healthcare is lawful in the state in which it is provided; (2) the care is protected, required or authorized by federal law, such as Emergency Medical Treatment and Active Labor Act (“EMTALA”) or the U.S. Constitution; or (3) the care was provided by someone other than the recipient of the request. Lawfulness is presumed unless the request recipient has actual knowledge that it is not lawful, or the requestor demonstrates unlawfulness.

Examples

For example, UBC may receive information related to a female’s reproductive status that suggests the person obtained an abortion or took medication to end a pregnancy. For U.S. States that have a law against this act (i.e., there is a law that prohibits abortion after six (6) weeks of pregnancy but does not require the hospital to report individuals to law enforcement, where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission). Under this example, the PHI disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to the U.S. Department of Health and Human Services (“HHS”) and the individual affected.

In the unlikely event, a law enforcement official presents a court order requiring the PHI disclosure of a person who has obtained an abortion, because a court order is enforceable in a court of law, the Privacy Rule would permit, but not require us to disclose the requested PHI. In this case, UBC may have a legal obligation to disclose information, but only the PHI expressly authorized by the court order.

Attestations

Additionally, disclosures for non-health purposes, under HIPAA, such as healthcare oversight activities, including payer audits, judicial and administrative proceedings (court order, subpoena, or government regulatory investigation), disclosures for law enforcement, coroners and medical examiners, would require an attestation. UBC will obtain a signed written attestation from the person requesting the PHI, who is required to attest that the PHI being requested will not be used or disclosed for a prohibited purpose and meets the requirements under the HIPAA Privacy Rule and Final Rule.

Complaints

If you believe that your (or someone else’s) healthcare privacy rights have been violated, you may visit the Office for Civil Rights (“OCR”) complaint portal at: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf, to file a complaint online.

We have implemented reasonable security measures designed to prevent Personal Information loss, misuse, unauthorized access, disclosure, or modification for any information we Process as described in this Privacy Notice. This includes, where relevant, alignment to security measures required under relevant Data Protection Laws, and other laws and regulations, including the EU Network and Information Security Directive 2 2022/2555 (“NIS2”); the EU Cyber Resilience Act (“CRA”); and the EU Critical Entities Resilience Act 2022/2557 (“CER”).

Additionally, UBC utilizes pseudonymization for many of its clinical trial Services, and for Services that are limited to the U.S. market, such as its risk evaluation and mitigation strategy (“REMS”) programs, and patient access services (“PAS”) programs, Processing activities will incorporate a tokenization process designed to replace patient participants’ identifiable, or sensitive Personal Information, with an encrypted “token” that limits the ability to reverse engineer the relevant underlying patient information or identity. 

Please keep in mind that it is not possible to achieve a perfect state of data security. Although we use reasonable security measures to protect your Personal Information from unauthorized access, we cannot absolutely guarantee the security of your Personal Information or that your Personal Information will not be accessed, disclosed, altered, or destroyed. Where relevant, we will notify you of any disclosure of a breach of your unencrypted, electronically stored Personal Information, as required by Data Protection Laws. If the country in which you reside allows us to notify you of a breach, either by email or a clear posting on our Site, you agree to accept the notice in that format.

We use Personal Information as outlined, and described, in this Privacy Notice. However, from time-to-time, we may, at our discretion, modify this Privacy Notice, indicated by a new revision date at the top of the notice. It is important that you check this Privacy Notice when you visit our Site. Your use of our Site, and your continued use of our Site after this Privacy Notice has been updated, indicates your agreement, and acceptance, of this Privacy Notice, including the modifications made as of the date of your use.

If you have a question about this Privacy Notice, UBC’s data protection practices/procedures, Personal Information use, would like to access this Privacy Notice in an alternative format, you can contact our Data Privacy office at: privacy@ubc.com, or write to us at: