HIPAA Compliance

1. Scope and Applicability

This HIPAA Compliance Notice applies to all services provided by Hoss Care (“Company,” “we,” “us,” or “our”) that involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI) on behalf of Covered Entities and their Business Associates. This includes our remote patient monitoring (RPM), chronic care management (CCM), behavioral health integration (BHI), and all related clinical workflow services delivered through the Hoss Care platform.

This notice describes how we comply with the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), and the Breach Notification Rule (45 CFR §§ 164.400–414), as amended by the HITECH Act (Public Law 111-5, Title XIII).

2. Definitions

• Protected Health Information (PHI) — Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
• Electronic Protected Health Information (ePHI) — PHI that is transmitted by or maintained in electronic media.
• Covered Entity — A health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form, as defined in 45 CFR § 160.103.
• Business Associate — A person or entity that performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involves access to PHI, as defined in 45 CFR § 160.103.
• Designated Record Set — A group of records maintained by or for a Covered Entity used to make decisions about individuals, including medical and billing records.
• Unsecured PHI — PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through use of technologies specified in HHS guidance (encryption or destruction).
• Security Incident — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations, per 45 CFR § 164.304.

3. Our Role as Business Associate

Hoss Care operates as a Business Associate under HIPAA. We create, receive, maintain, and transmit PHI on behalf of Covered Entities (healthcare providers and health plans) as part of delivering our platform services. Our obligations are governed by:

• 45 CFR § 164.502(e) — Uses and disclosures by Business Associates
• 45 CFR § 164.504(e) — Business Associate contract requirements
• 45 CFR § 164.308(b) — Business Associate contracts and other arrangements
• HITECH Act § 13401 — Application of security provisions to Business Associates
• HITECH Act § 13404 — Application of knowledge elements to Business Associates

We also process PHI directly within self-service tools provided to healthcare professionals. In all capacities, we apply the full scope of HIPAA Privacy, Security, and Breach Notification requirements to our operations.

4. Privacy Rule Compliance

We comply with the HIPAA Privacy Rule by implementing the following controls:

• Minimum Necessary Standard — We limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose (45 CFR § 164.502(b)).
• Permitted Uses and Disclosures — PHI is used and disclosed only as permitted by our BAA with the Covered Entity, for treatment, payment, or healthcare operations, or as required by law.
• De-identification — When PHI is used for analytics or product improvement, it is de-identified in accordance with 45 CFR § 164.514(a)–(c) using either Safe Harbor or Expert Determination methods.
• No Sale of PHI — We do not sell PHI as defined under HITECH Act § 13405(d) and will not do so without valid authorization from the individual.
• Marketing Restrictions — PHI is never used for marketing purposes without individual authorization as required by 45 CFR § 164.508(a)(3).

5. Security Rule Compliance

5.1 Administrative Safeguards (45 CFR § 164.308)

• Designated HIPAA Privacy Officer and Security Officer
• Comprehensive Security Management Process including annual risk analysis per 45 CFR § 164.308(a)(1)(ii)(A)
• Documented sanction policy for workforce violations
• Regular review of information system activity (audit logs, access reports)
• Role-based access management with formal authorization procedures
• Security awareness and training program (initial and annual recertification)
• Documented contingency plan including data backup, disaster recovery, and emergency mode operations
• Annual evaluation of security policies and procedures
• Business Associate contract management for all subcontractors with PHI access

5.2 Physical Safeguards (45 CFR § 164.310)

• Facility access controls with badge-based entry, visitor logs, and 24/7 security monitoring
• Workstation use policies defining appropriate physical access and positioning
• Workstation security including screen locks, full-disk encryption, and endpoint detection
• Device and media controls for hardware and electronic media lifecycle (disposal, re-use, accountability, data backup)
• Cloud infrastructure hosted in SOC 2 Type II certified data centers with physical access restricted to authorized personnel

5.3 Technical Safeguards (45 CFR § 164.312)

• Access Control — Unique user identification, emergency access procedures, automatic logoff (15-minute timeout), and AES-256 encryption/decryption
• Audit Controls — Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI
• Integrity Controls — Electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner (checksums, version control, immutable logs)
• Authentication — Multi-factor authentication (MFA) required for all users accessing ePHI. SSO integration with SAML 2.0/OIDC support
• Transmission Security — TLS 1.3 for all data in transit. Certificate pinning for mobile applications. VPN or private connectivity options for enterprise customers

6. Breach Notification Rule (45 CFR §§ 164.400–414)

In the event of a breach of Unsecured PHI, Hoss Care will:

• Notify Covered Entity — Without unreasonable delay and no later than thirty (30) days after discovery of the breach, we will notify the affected Covered Entity, providing: identification of individuals affected, description of the types of information involved, recommended steps for individuals to protect themselves, description of our investigation and mitigation actions, and contact procedures.
• Risk Assessment — We conduct a four-factor risk assessment per 45 CFR § 164.402(2) to determine whether a breach has occurred, evaluating: (i) the nature and extent of PHI involved, (ii) the unauthorized person who used or received the PHI, (iii) whether PHI was actually acquired or viewed, and (iv) the extent to which risk has been mitigated.
• Documentation — All suspected and confirmed breaches are documented with investigation findings, risk assessment results, and mitigation actions, retained for a minimum of six (6) years.
• Cooperation — We cooperate fully with Covered Entities in their notification obligations to affected individuals (within 60 days) and to HHS.
• Law Enforcement Delay — Notification may be delayed if requested by law enforcement pursuant to 45 CFR § 164.412.

7. Individual Rights

We support Covered Entities in fulfilling individual rights under the HIPAA Privacy Rule. Where directed by the Covered Entity or as required by applicable law, we facilitate the following:

• Right of Access (45 CFR § 164.524) — Provide access to PHI in the Designated Record Set within 30 days of request, in the format requested if readily producible.
• Right to Amendment (45 CFR § 164.526) — Process requests to amend PHI and append amendments or statements of disagreement as directed.
• Right to Accounting of Disclosures (45 CFR § 164.528) — Maintain records of disclosures and provide accounting for the six-year period preceding the request.
• Right to Request Restrictions (45 CFR § 164.522(a)) — Support implementation of agreed-upon restrictions on uses and disclosures.
• Right to Confidential Communications (45 CFR § 164.522(b)) — Accommodate reasonable requests for alternative communication methods or locations.
• Right to Receive Notice of Breach (45 CFR § 164.404) — Support timely notification to individuals affected by breaches of Unsecured PHI.

8. Subcontractor Obligations

Pursuant to 45 CFR § 164.502(e)(1)(ii) and HITECH Act § 13401, Hoss Care requires all subcontractors that create, receive, maintain, or transmit PHI on our behalf to enter into Business Associate Agreements that impose the same restrictions, conditions, and requirements that apply to us. We maintain a current inventory of all subcontractors with PHI access, conduct due diligence assessments prior to engagement, and monitor ongoing compliance. Subcontractors are required to report security incidents and breaches to us within twenty-four (24) hours of discovery.

9. Data Retention and Disposal

• Retention Period — PHI is retained for the period specified in the applicable BAA or, absent specific terms, for six (6) years from the date of creation or last effective date, consistent with 45 CFR § 164.530(j) documentation requirements.
• Disposal — Upon termination of a BAA or expiration of retention periods, PHI is returned or destroyed in accordance with 45 CFR § 164.504(e)(2)(ii)(J). Destruction methods include NIST SP 800-88 compliant media sanitization (cryptographic erasure for encrypted data, degaussing or physical destruction for hardware).
• Certification — Upon request, we provide written certification of PHI destruction to the applicable Covered Entity.

10. Incident Response

Our incident response program follows NIST SP 800-61 methodology:

• Detection and Analysis — 24/7 security operations center (SOC) monitoring with automated alerting. Initial triage within one (1) hour of detection.
• Containment — Immediate containment actions to prevent further unauthorized access. Short-term containment within four (4) hours; long-term containment within twenty-four (24) hours.
• Eradication and Recovery — Root cause elimination, system hardening, and verified restoration from known-good backups.
• Post-Incident Activity — Lessons-learned review within fourteen (14) days. Policy and control updates as necessary. Reporting to affected Covered Entities per Section 6 above.

11. Certifications and Assessments

• SOC 2 Type II — Annual third-party attestation covering Security, Availability, and Confidentiality Trust Service Criteria. Reports available under NDA.
• Penetration Testing — Annual third-party penetration testing of infrastructure and application layers. Remediation of critical and high findings within defined SLA timelines.
• Vulnerability Management — Continuous automated vulnerability scanning with critical vulnerabilities addressed within 24 hours, high within 7 days, medium within 30 days.
• HIPAA Risk Analysis — Annual comprehensive risk analysis per 45 CFR § 164.308(a)(1)(ii)(A) with documented risk management plan.
• Business Continuity — Documented and tested disaster recovery with Recovery Time Objective (RTO) and Recovery Point Objective (RPO) commitments defined in service agreements.

12. State Law Preemption

Where state laws provide greater privacy protections than HIPAA or are not preempted under 45 CFR § 160.203, we comply with the more stringent requirement. This includes, but is not limited to, state breach notification laws with shorter timelines, more restrictive substance abuse (42 CFR Part 2) and mental health records protections, and state-specific patient rights provisions.

13. Complaints and Enforcement

Individuals who believe their privacy rights have been violated may file a complaint with the applicable Covered Entity, with Hoss Care directly, or with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). We will not retaliate against any individual for filing a complaint. Complaints to OCR must be filed within 180 days of the known violation. For more information, visit hhs.gov/hipaa/filing-a-complaint.