Built for healthcare. Designed around compliance from the ground up.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with its implementing regulations under 45 CFR Parts 160 and 164, establishes national standards for the protection of individuals' medical records and other identifiable health information.

HIPAA includes three key rules relevant to our platform:

• Privacy Rule — Governs how Protected Health Information (PHI) may be used and disclosed
• Security Rule — Establishes standards for safeguarding electronic PHI (ePHI) through administrative, physical, and technical controls
• Breach Notification Rule — Requires notification to affected individuals, HHS, and in some cases the media, when unsecured PHI is breached

Under HIPAA, a Business Associate is any entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity to perform a service. Bridge MD AI qualifies as a Business Associate because our platform processes patient referral documents, clinical records, and other PHI as part of delivering our services to your practice.

As your Business Associate, we are directly subject to HIPAA's Security Rule requirements and the applicable provisions of the Privacy Rule. This means we are legally obligated — not just contractually — to protect the PHI we handle.

A Business Associate Agreement is a written contract required by HIPAA that defines how PHI may be used and disclosed by Bridge MD AI on your behalf, and establishes the safeguards we agree to maintain.

Our BAA covers:

• Permitted uses and disclosures of PHI — limited to providing the contracted services
• Prohibition on selling or using PHI for unauthorized purposes
• Subcontractor obligations — any vendor we use that touches PHI signs their own BAA
• Individual rights support — we help you respond to patient access and amendment requests
• Breach reporting timelines and notification procedures
• Return or destruction of PHI upon termination of services

To request a BAA or ask questions about our agreement, contact us at hello@bridgemdai.com.

Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. This includes information related to:

• An individual's past, present, or future physical or mental health condition
• The provision of healthcare to an individual
• Past, present, or future payment for the provision of healthcare

PHI includes 18 HIPAA-defined identifiers such as name, date of birth, address, phone number, Social Security number, medical record number, health plan beneficiary number, and more — even when they appear in faxes, referral documents, or clinical notes.

Bridge MD AI uses and discloses PHI only as permitted under your BAA and HIPAA. Specifically:

• To provide services — Processing referral documents, extracting structured data, matching patients, and filing to your EMR as directed by your practice
• For operations — Internal system logging, quality review, and technical support necessary to maintain platform performance
• As required by law — We will disclose PHI when required by a valid legal process, court order, or regulatory authority
• To subcontractors — Only to vendors who have signed a BAA and are bound by equivalent protections

We apply the Minimum Necessary Standard — we access only the PHI required to perform the specific task at hand, and we do not use PHI for marketing, advertising, or any purpose beyond delivering contracted services.

We implement technical controls designed to protect electronic PHI (ePHI) in accordance with the HIPAA Security Rule:

Administrative safeguards are the policies and procedures that govern how we manage PHI across our organization:

• Designated Privacy and Security Officer responsible for compliance oversight
• HIPAA training required for all employees with access to PHI
• Written security policies and procedures reviewed and updated regularly
• Risk analysis and risk management program to identify and mitigate threats to ePHI
• Sanctions policy for workforce members who violate security policies
• Workforce clearance and access authorization procedures
• Incident response and reporting procedures for security incidents
• Contingency planning including data backup and disaster recovery

Physical safeguards protect the physical systems and locations where ePHI is stored or accessed:

• Platform infrastructure hosted in SOC 2-certified cloud environments with restricted physical access
• Workstation use policies governing access to ePHI from employee devices
• Device and media controls including secure disposal of hardware containing ePHI
• Facility access controls at data center locations operated by our infrastructure providers

In the event of a suspected or confirmed breach of unsecured PHI, Bridge MD AI will:

• Investigate the incident promptly and assess scope and impact
• Notify your practice (the Covered Entity) within 60 days of discovering the breach, in accordance with the HIPAA Breach Notification Rule — though we aim to notify as soon as reasonably possible
• Provide the information required by HIPAA including the nature of the breach, the PHI involved, steps taken to investigate, and recommended actions
• Cooperate fully with your notification obligations to affected patients and the Department of Health and Human Services (HHS)

To report a potential security incident, contact us immediately at hello@bridgemdai.com with "SECURITY INCIDENT" in the subject line.

While Bridge MD AI maintains robust safeguards as your Business Associate, your practice retains certain responsibilities under HIPAA:

• Execute a signed BAA with Bridge MD AI before transmitting any PHI
• Ensure your staff are trained on your organization's HIPAA policies and on appropriate use of our platform
• Provide patients with a Notice of Privacy Practices as required by the HIPAA Privacy Rule
• Manage patient rights requests — access, amendment, restriction, and accounting of disclosures
• Notify Bridge MD AI promptly if you become aware of a breach or security incident involving our platform
• Only transmit the minimum necessary PHI required to accomplish the intended workflow
• Maintain your own HIPAA risk analysis and compliance program independent of our platform

HIPAA grants patients specific rights regarding their health information. As a Business Associate, Bridge MD AI supports your practice in honoring these rights. Patients have the right to:

• Access — Inspect and obtain a copy of their PHI held by your practice
• Amendment — Request corrections to inaccurate or incomplete PHI
• Accounting of Disclosures — Receive a list of certain disclosures of their PHI
• Restriction Requests — Request limits on how their PHI is used or disclosed
• Confidential Communications — Request to receive communications through alternative means or locations

Patient rights requests should be directed to your practice. Bridge MD AI will assist your team in locating and producing relevant records from our platform when needed.

For all HIPAA-related inquiries including BAA requests, compliance questions, security incidents, or patient rights support, contact us at:

• Email: hello@bridgemdai.com — use subject line "HIPAA / BAA Request"
• Company: Bridge MD AI
• Location: Houston, Texas, United States