Orion EMR — Acceptable Use Policy

Effective Date: 25 May 2026 Last Updated: 25 May 2026 Operated by: Orionhms — [REGISTERED LEGAL ENTITY NAME AND NUMBER]

1. Purpose and Scope

This Acceptable Use Policy ("AUP") sets out the rules that govern use of the Orion EMR platform ("Platform" or "Service"). It applies to every Customer, Authorised User, and any other person who accesses or interacts with the Platform.

This AUP is incorporated by reference into the Orion EMR Terms of Service. Capitalised terms have the meaning given in those Terms. A violation of this AUP constitutes a material breach of the Terms of Service and may result in suspension, termination, and other remedies set out below.

This AUP is intended to:

protect the integrity, security, and availability of the Platform
protect the rights of Patients, Authorised Users, Customers, and third parties
ensure that the Platform is used only for lawful clinical and operational purposes
support compliance with the laws of the United Arab Emirates and any other applicable jurisdiction

2. General Principles

You must use the Platform only in a manner that is:

Lawful: in compliance with the laws and regulations of the UAE (including all emirate-level laws applicable to your operations) and any other jurisdiction whose laws apply to you or your Patients
Professional: consistent with the ethical standards of your healthcare profession and the rules of the regulators that license your facility and practitioners (including but not limited to DHA, DoH, MoHAP, and the Ministry of Community Development where applicable)
Authorised: within the scope of the access rights granted to you by your Customer and the role assigned to you on the Platform
Secure: in a way that protects the credentials, devices, and connections used to access the Platform
Respectful: with due regard for the rights, dignity, privacy, and safety of Patients and other persons whose data is processed through the Platform

3. Prohibited Activities — General

You must not, and must not permit, assist, or encourage any third party to:

3.1 Unlawful or harmful use

use the Platform to violate any applicable law, regulation, court order, or third-party right
use the Platform to engage in or facilitate fraud, theft, harassment, defamation, money laundering, terrorism financing, or any other illegal activity
use the Platform to generate, store, transmit, or display content that is unlawful, threatening, defamatory, obscene, hateful, discriminatory, or otherwise objectionable under UAE law

3.2 Platform integrity and security

attempt to gain unauthorised access to any part of the Platform, any other Customer's account or data, or any underlying system or network
probe, scan, test the vulnerability of, or breach the security or authentication measures of the Platform, except under a written security testing agreement with Orion
introduce viruses, worms, trojans, ransomware, spyware, or any other malicious code or harmful component
conduct denial-of-service or distributed-denial-of-service attacks against the Platform or any user
interfere with, disrupt, overload, or impair the operation of the Platform or the experience of other users
circumvent or attempt to circumvent any rate limit, throttle, quota, authentication mechanism, audit log, or access control
decompile, disassemble, reverse engineer, or attempt to derive source code, internal logic, or non-public functioning of the Platform except to the extent expressly permitted by mandatory applicable law
use any robot, scraper, bot, automated agent, or similar means to extract data from the Platform other than through documented APIs and within published rate limits

3.3 Misuse of the Service

use the Platform to operate a competing service or to assist any third party in developing a competing service
resell, rent, lease, sub-license, or otherwise commercially exploit the Platform without Orion's prior written consent
impersonate any person or entity, or misrepresent your affiliation with any person or entity
create false, misleading, or pseudonymous accounts
share Authorised User credentials between individuals, including between members of the same household, team, or organisation — each Authorised User must access the Platform under their own uniquely identified account
use the Platform in connection with high-risk activities for which the Platform is not designed (e.g., as a real-time life-support or critical-care decision system without independent clinical verification)

3.4 Spam and abuse of communications features

use the Platform to send spam, chain letters, pyramid schemes, or other unsolicited bulk messages
harvest or collect email addresses, phone numbers, or other contact information for unauthorised purposes
use any messaging features of the Platform to harass, threaten, or defraud Patients, Authorised Users, or third parties

4. Prohibited Activities — Healthcare-Specific

In recognition of the sensitive nature of the data and workflows handled by the Platform, the following healthcare-specific restrictions apply.

4.1 Data integrity and clinical accuracy

You must not:

knowingly enter, modify, or delete clinical records in a manner that misrepresents the care actually delivered to a Patient
falsify, fabricate, or backdate clinical records, prescriptions, lab results, billing entries, or any other data
alter another user's audit trail or attempt to evade or interfere with the Platform's audit logging
delete or attempt to delete clinical records contrary to applicable medical record retention requirements
use the Platform to issue prescriptions other than for legitimate clinical purposes within the prescribing professional's scope of practice and licensure

4.2 Authorisation and access boundaries

You must not:

access a Patient's record outside the scope of your professional involvement in that Patient's care, except as expressly permitted by your Customer's role design and applicable law
view, copy, transmit, screen-record, photograph, or otherwise extract clinical records other than for a legitimate clinical, operational, or legally mandated purpose
share, disclose, or publish identifiable Patient information except as permitted by applicable law and Customer policy

4.3 Regulatory submissions

You must not:

knowingly submit false, misleading, or incomplete data to NABIDH, Malaffi, Riyati, or any other regulatory exchange through the Platform
use the Platform to obstruct, manipulate, or game any regulatory submission, audit, or inspection process

4.4 Insurance, billing, and financial workflows

You must not:

generate, submit, or alter insurance claims that are inaccurate, fraudulent, or unsupported by the underlying clinical encounter
"upcode" services, bill for services not rendered, double-bill, or otherwise misuse the billing functions of the Platform
represent to insurers, regulators, or other third parties that records produced by the Platform meet any quality, accuracy, or completeness standard that they do not in fact meet

4.5 Use of Patient data for non-clinical purposes

You must not use Patient personal data accessed through the Platform for:

marketing, advertising, or solicitation purposes without specific, freely given, informed consent from the Patient
research, training, or analysis without lawful basis, including any required Patient consent and ethical clearance
any purpose unrelated to the clinical, operational, or regulatory functions for which the Customer has authorised processing

4.6 AI, automation, and clinical decision support

To the extent the Platform offers or integrates AI-assisted features, automated suggestions, or clinical decision support, those features are aids only. You must not:

rely on any automated suggestion as a substitute for independent clinical judgement
represent or document any clinical decision as having been made by the Platform rather than by a qualified, licensed clinician
disable, override, or interfere with any safety guardrail or warning surfaced by the Platform without documenting the clinical rationale

5. Account Security Obligations

You are responsible for safeguarding access to the Platform. You must:

choose strong, unique passwords that comply with the Platform's password requirements
maintain the confidentiality of your credentials and never share them with any other person, including colleagues, supervisors, IT staff, or vendors
enable and maintain multi-factor authentication where required or available
log out of the Platform when leaving an unattended device, particularly in shared clinical environments
use only devices and networks that are reasonably secure and that comply with your Customer's internal policies
never store credentials in browsers, mobile apps, or password managers that are shared with other users
promptly notify your Customer's administrator and Orion at customercare@orionhms.com if you become aware or suspect that:
- your credentials have been lost, stolen, or accessed by an unauthorised person
- any unauthorised access to or use of your account has occurred or may have occurred
- any other security incident affecting the Platform has occurred

Customer administrators are responsible for:

issuing accounts only to authorised personnel
assigning the least permissions required for each user's role
promptly disabling accounts when a user leaves the Customer's organisation or changes role
periodically reviewing user access and permissions

6. Content Standards for Customer Data

Customer Data, including any free-text fields, attachments, messages, and uploaded documents, must:

be accurate and entered in good faith
relate to a legitimate clinical, operational, or regulatory purpose
comply with the laws of the UAE, including (where applicable) prohibitions on materials that violate public morality, that defame any person, or that are otherwise unlawful
not include credentials, payment card data, or other sensitive information of third parties that is not necessary for clinical or operational purposes
not infringe the intellectual property, privacy, publicity, or other rights of any third party

You must not upload content that you know or reasonably should know is unlawful or that you have no lawful basis to upload.

7. Use of APIs and Integrations

If you use the Platform's APIs or integrate the Platform with other systems, you must:

comply with the API documentation, including authentication, rate limit, and usage restrictions
not use APIs to extract bulk data in a manner inconsistent with reasonable internal-use needs
not use APIs to build a competing service or to assist any third party in doing so
ensure that any integrated third-party system is itself compliant with applicable data protection and health-information laws
ensure that data exported from the Platform via API continues to be protected with security measures no less stringent than those applied on the Platform

8. Reporting Violations and Concerns

If you become aware of a violation of this AUP, including any security vulnerability, suspected unauthorised access, suspected fraud, or misuse of Patient data, please report it promptly:

Security incidents and vulnerabilities: customercare@orionhms.com
General concerns and complaints: customercare@orionhms.com
Privacy concerns: customercare@orionhms.com

We treat security and abuse reports confidentially and will not retaliate against good-faith reporters.

9. Investigation and Cooperation

Orion reserves the right to investigate suspected violations of this AUP. In support of an investigation, Orion may:

review system logs, audit trails, and metadata
contact the Customer's designated administrator
request information and cooperation from Authorised Users involved
engage external security or legal advisors under appropriate confidentiality
preserve, copy, or quarantine relevant data as needed to investigate or comply with legal requirements
cooperate with law enforcement, regulators, and other competent authorities, including in response to lawful requests, subpoenas, or court orders

Customer and Authorised Users agree to cooperate reasonably with such investigations.

10. Enforcement and Consequences

A violation of this AUP may result in any of the following, alone or in combination, at Orion's discretion and as the circumstances warrant:

a warning and request to remediate
temporary or permanent suspension of the offending Authorised User's account
temporary or permanent suspension of the Customer's account
removal or quarantine of offending content or data
termination of the Customer's Subscription for cause under the Terms of Service
reporting to regulators, professional licensing bodies, law enforcement, or other authorities
legal action to recover damages and to enforce these Terms

The severity of the response will be proportionate to the violation, but Orion may take immediate action without prior notice where necessary to:

prevent imminent harm to Patients, Customers, the Platform, or third parties
comply with a legal or regulatory obligation
respond to a serious security threat

Where appropriate and lawful, Orion will give Customer or the Authorised User an opportunity to respond before taking action.

11. Customer Responsibility for Authorised Users

Customer is responsible for the acts and omissions of its Authorised Users in their use of the Platform. Customer must:

communicate the rules of this AUP to its Authorised Users
enforce equivalent or stricter internal rules where required by Customer's regulator or internal policy
take appropriate disciplinary or administrative action when Customer learns of a violation by an Authorised User
support Orion in any investigation reasonably required

12. Changes to This AUP

Orion may update this AUP from time to time. Material changes will be notified through the Platform, by email to Customer administrators, or on the Orion website at least thirty (30) days before they take effect, except where a shorter notice period is required by law, regulator, or to address an urgent security or compliance need.

Continued use of the Platform after the effective date of a change constitutes acceptance of the updated AUP.

13. Contact

Orionhms [REGISTERED OFFICE ADDRESS, UAE] General: customercare@orionhms.com Security: customercare@orionhms.com Privacy: customercare@orionhms.com Legal: customercare@orionhms.com

[END OF ACCEPTABLE USE POLICY]