HIPAA Compliance Statement

1. REGULATORY CLASSIFICATION AND SCOPE

1.1 Business Associate Status

When The Bridge provides services that involve the creation, receipt, maintenance, or transmission of PHI on behalf of a Covered Entity (as defined under HIPAA), The Bridge functions as a "Business Associate" within the meaning of 45 CFR § 160.103. In such capacity, we are bound by the applicable provisions of HIPAA as set forth in Business Associate Agreements ("BAAs") executed with Covered Entities utilizing our Platform for patient placement and care coordination services.

1.2 Scope of Application

This HIPAA Compliance Statement applies to all PHI that The Bridge creates, receives, maintains, or transmits in connection with its services. This statement is supplemental to, and does not supersede, our Privacy Policy and Terms of Service, which govern the collection and use of all personal information processed through our Platform.

1.3 Limitation of Scope

2. PROTECTED HEALTH INFORMATION

2.1 Definition

Protected Health Information, as defined by 45 CFR § 160.103, refers to individually identifiable health information that is: (a) transmitted by or maintained in electronic media; (b) transmitted or maintained in any other form or medium; (c) created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and (d) relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.

2.2 Categories of PHI Processed

In the course of providing services, The Bridge may process the following categories of PHI:

• Patient demographic information (name, date of birth, contact information)
• Medical record numbers and healthcare identifiers
• Care requirement summaries and clinical notes
• Diagnosis information and treatment history
• Insurance and payment information
• Discharge planning documentation
• Care placement and referral communications

3. HIPAA SECURITY SAFEGUARDS

The Bridge maintains a comprehensive security program implementing the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR §§ 164.302-164.318).

3.1 Administrative Safeguards

3.2 Physical Safeguards

• Facility Access Controls: Data hosted in SOC 2 Type II certified data centers with biometric access, 24/7 surveillance, and visitor management
• Workstation Security: Secure workstation policies; encrypted devices; automatic screen lock; clean desk requirements
• Device and Media Controls: Inventory tracking; secure disposal and destruction procedures; data sanitization protocols
• Environmental Controls: Fire suppression, climate control, backup power, and redundant systems

3.3 Technical Safeguards

• Access Control: Unique user identification; emergency access procedures; automatic session termination; encryption and decryption mechanisms
• Audit Controls: Comprehensive logging of system activity; access tracking; log retention and review procedures
• Integrity Controls: Mechanisms to authenticate ePHI; technical policies to protect ePHI from improper alteration or destruction
• Transmission Security: TLS 1.2+ encryption for data in transit; encryption of data at rest using AES-256; integrity controls for transmitted data
• Authentication: Multi-factor authentication available; password complexity requirements; secure credential management

4. BUSINESS ASSOCIATE AGREEMENTS

4.1 BAA Requirement

Prior to receiving, creating, or maintaining PHI from a Covered Entity, The Bridge requires the execution of a Business Associate Agreement that satisfies the requirements of 45 CFR § 164.504(e). Our standard BAA addresses all required elements, including permissible uses and disclosures, safeguarding requirements, subcontractor obligations, breach notification, and termination provisions.

4.2 Subcontractor Agreements

In accordance with 45 CFR § 164.502(e)(1)(ii) and 45 CFR § 164.504(e)(2)(ii)(D), The Bridge requires all subcontractors that create, receive, maintain, or transmit PHI on our behalf to execute Business Associate Agreements containing substantially similar terms and conditions.

4.3 BAA Requests

Organizations requiring a BAA to use The Bridge Platform should contact our Compliance Department at compliance@thebridge.care. We can provide our standard BAA template or review organization-specific agreements.

5. MINIMUM NECESSARY STANDARD

In compliance with 45 CFR § 164.502(b) and 45 CFR § 164.514(d), The Bridge adheres to the "minimum necessary" standard. We make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. Our Platform is designed with role-based access controls and data minimization principles to limit PHI exposure to only what is required for authorized purposes.

6. BREACH NOTIFICATION OBLIGATIONS

6.1 Definition of Breach

A "Breach" is defined in accordance with 45 CFR § 164.402 as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, unless an exception applies or a risk assessment demonstrates low probability of compromise.

6.2 Notification to Covered Entities

In the event of a Breach of unsecured PHI, The Bridge will:

• Notify affected Covered Entities without unreasonable delay, and in no case later than sixty (60) days after discovery
• Provide identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed
• Describe the circumstances of the Breach, including the types of PHI involved
• Document the corrective actions taken and measures implemented to prevent future breaches
• Provide such other information as required by applicable BAAs and HIPAA regulations

6.3 Cooperation with Investigations

The Bridge will cooperate with Covered Entities in breach investigations, notifications to affected individuals, and notifications to the Department of Health and Human Services as required by 45 CFR §§ 164.404-164.410.

7. INDIVIDUAL RIGHTS

The Bridge supports Covered Entities in fulfilling individuals' rights under HIPAA, including:

• Right to Access (45 CFR § 164.524): Assistance in responding to requests to access PHI
• Right to Amendment (45 CFR § 164.526): Support for amendment requests to PHI
• Right to Accounting of Disclosures (45 CFR § 164.528): Maintenance of disclosure records and provision of accounting information
• Right to Request Restrictions (45 CFR § 164.522): Support for processing restriction requests
• Right to Confidential Communications (45 CFR § 164.522(b)): Accommodation of reasonable communication preferences

8. COMPLIANCE VERIFICATION

9. LIMITATION OF LIABILITY

10. CONTACT INFORMATION

For HIPAA-related inquiries, BAA requests, compliance questions, or to report a potential security incident: