HIPAA Compliance

1. MDME's Role Under HIPAA

MDME provides a technology platform and related services to healthcare practices and organizations ("Providers"). In doing so, MDME may receive, create, maintain, or transmit PHI on behalf of Providers.

When MDME handles PHI in this capacity, MDME acts as a Business Associate, as defined by HIPAA, and complies with the obligations applicable to Business Associates under the law.

MDME does not provide medical care, make clinical decisions, or act as a healthcare provider.

2. Business Associate Agreements (BAAs)

MDME enters into Business Associate Agreements ("BAAs") with Providers as required by HIPAA. These agreements govern:

• Permitted uses and disclosures of PHI
• Safeguards for protecting PHI
• Reporting obligations related to security incidents and breaches
• Subcontractor compliance requirements

MDME's handling of PHI is strictly limited to what is permitted under applicable BAAs and HIPAA.

3. Safeguards to Protect PHI

MDME maintains administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI, consistent with HIPAA requirements. These safeguards include, but are not limited to:

• Access controls and authentication mechanisms
• Role-based access limitations
• Secure hosting and infrastructure controls
• Monitoring and logging of system activity
• Policies and procedures governing workforce access to PHI
• Incident response and breach notification processes

While no system can be guaranteed to be 100% secure, MDME implements commercially reasonable and industry-aligned measures to protect PHI.

4. Use and Disclosure of PHI

MDME uses and discloses PHI only:

• As permitted by HIPAA
• As authorized under applicable BAAs
• As required by law

MDME does not sell PHI and does not use PHI for its own independent marketing purposes.

PHI provided by Providers for patient care purposes remains subject to each Provider's own Notice of Privacy Practices.

5. Subcontractors and Service Providers

Where MDME engages subcontractors or service providers that may have access to PHI, MDME requires such parties to:

• Enter into written agreements containing HIPAA-compliant protections
• Implement appropriate safeguards for PHI
• Use PHI only as permitted to support MDME's services

6. Messaging and Communications Involving PHI

MDME's platform may support patient communications via SMS, MMS, and voice calls, as directed by Providers.

Providers are solely responsible for:

• Determining what information is appropriate to include in communications
• Obtaining all legally required patient consents and authorizations
• Ensuring compliance with HIPAA, TCPA, and applicable state laws

MDME transmits communications at the direction of Providers and in accordance with applicable agreements.

7. Patient Rights

Patients should direct any questions about their medical information, privacy rights, or requests regarding PHI (including access, amendment, or restrictions) to their healthcare Provider.

MDME does not independently control patient records and cannot modify or disclose PHI outside the scope authorized by Providers and HIPAA.

8. Breach Notification

In the event of a confirmed breach of unsecured PHI, MDME will:

• Comply with its breach notification obligations under HIPAA
• Notify affected Providers without unreasonable delay
• Cooperate with Providers in meeting applicable regulatory and patient notification requirements

9. Limitations

This HIPAA Compliance page is provided for informational purposes only and does not create contractual obligations beyond those set forth in applicable written agreements between MDME and its customers.

10. Contact Information

If you have questions regarding MDME's HIPAA compliance practices, please contact:

MD Media Experience LLC
Email: support@mdme.tech