HIPAA Posture.

1. Scope and effective date

This HIPAA Posture statement (the "Statement") describes the operating posture of Hydor Health under the Health Insurance Portability and Accountability Act of 1996, the HITECH Act of 2009, and the implementing regulations at 45 C.F.R. Parts 160, 162, and 164 (collectively, "HIPAA"). It is effective as of the date of last publication shown in the site footer and supersedes any prior posture document released under the same title.

This Statement is a description of posture, not legal advice and not a substitute for a Business Associate Agreement (a "BAA"). The rights and obligations of any specific counterparty are governed by the BAA and other written agreements. In any conflict between this Statement and a signed BAA, the BAA controls.

The Statement covers Hydor Health corporate operations, the hydorhealth.com public properties, and the work performed on behalf of covered entities and other business associates. Platform deployments (Hydor OS, Hydor MIM, Dr. Kai) are further governed by deployment-specific addenda that incorporate the controls here.

2. Our role under HIPAA

Hydor Health acts as a business associate within the meaning of 45 C.F.R. § 160.103 when it creates, receives, maintains, or transmits protected health information ("PHI") on behalf of a covered entity or another business associate. Hydor Health does not act as a covered entity in its public-facing capacity. Business associate work is performed under a signed BAA.

The public website at hydorhealth.com is not a clinical surface. It does not solicit PHI through any public form. Inquiry submissions are routed to corporate teams (partnerships, investor relations, press, and recruiting) and are not made available to clinical workforce except where the inquiry relates to a clinical engagement and the relevant BAA is in place.

Where Hydor Health processes PHI on behalf of a covered entity (for example, a ministry of health, a federal counterpart, a hospital, a payer, or a clinical program), the processing is performed under a signed BAA that flows through every required obligation of 45 C.F.R. § 164.504(e). The BAA governs the permitted uses, the required safeguards, the breach notification timeline, and the obligations on termination.

3. The public website

The public website collects a limited set of non-PHI inquiry data: name, organization, role, work email, country, and a free-text inquiry field. Fields are collected to route the inquiry and to permit a substantive response. The lawful basis for processing in jurisdictions that require one is the legitimate interest of Hydor Health in responding to inbound business inquiries.

Visitors are instructed not to submit PHI through the public inquiry form. The instruction is reinforced through field labels, placeholder text, and the privacy notice presented at submission. If a visitor submits content that qualifies as PHI, Hydor Health treats it as Restricted data on receipt, isolates the submission, and evaluates whether a breach notification obligation has been triggered under HIPAA, HITECH, or applicable state law. The visitor is advised to raise any clinical concern with a licensed clinician through an appropriate channel.

No tracking technology on the public site collects PHI. Cookies used on the public site are described in the Cookie Policy at /legal/cookies and are limited to functionality, analytics, and (where opted in) marketing measurement. No PHI is shared with analytics providers under any circumstance.

4. Business Associate Agreement (BAA)

A BAA is required between Hydor Health and any covered entity (or upstream business associate) before Hydor Health creates, receives, maintains, or transmits PHI on behalf of that party. Hydor Health will sign a HIPAA-compliant BAA on the standard Hydor Health template or, where reasonable, on the counterparty template subject to negotiated revisions.

Standard provisions in the Hydor Health BAA template include (a) permitted and required uses and disclosures, (b) the safeguards required by the Security Rule, (c) reporting of uses or disclosures not permitted by the BAA, (d) written flow-down to subcontractors, (e) availability of PHI for individual access requests, amendments, and accountings of disclosures, (f) availability of internal practices, books, and records to the Secretary of HHS for compliance determinations, (g) breach notification consistent with 45 C.F.R. § 164.410, and (h) return or destruction of PHI on termination where feasible.

Liability is allocated through indemnification, limitations of liability, and insurance requirements negotiated on the BAA or the underlying master services agreement. Subcontractor flow-down is mandatory (see Section 15). Hydor Health will not engage a subcontractor that handles PHI without a written agreement that flows down the BAA obligations.

5. Permitted uses and disclosures of PHI

Hydor Health uses and discloses PHI only as permitted by the applicable BAA and as required by law. The default permitted purposes are the proper management and administration of Hydor Health, performance of the services contracted by the covered entity, data aggregation services where authorized, and disclosure required by law (with prompt notice to the covered entity where permitted).

Hydor Health does not use PHI for marketing within the meaning of 45 C.F.R. § 164.501 absent the individual authorization required by 45 C.F.R. § 164.508. Receipt of remuneration in exchange for any disclosure of PHI is prohibited under the Hydor Health BAA template absent an authorization that meets 45 C.F.R. § 164.508(a)(4).

Hydor Health does not sell PHI under any circumstance. The prohibition is absolute. It applies across every entity in the portfolio, across every vendor relationship, and across every contractual structure. It is documented in the BAA template, the Vendor Risk Management standard, and workforce training.

6. Administrative safeguards

Hydor Health has designated a Security Officer (the CISO) and a Privacy Officer responsible for the policies and procedures required by HIPAA. Both officers are named in the Trust Center, report into executive leadership, and present quarterly to the Security Committee and the board.

Workforce training is mandatory at hire, on any change of role affecting PHI access, and annually thereafter. Training covers the Privacy Rule, the Security Rule, breach notification, sanctions, and the role-specific access rules applicable to the workforce member. Completion is tracked in the learning system and reviewed by the Privacy Officer.

Sanctions for workforce misconduct are documented in the Workforce Sanctions Policy and applied without exception. They range from retraining through termination and may include referral to law enforcement where the conduct is criminal. Access management follows the principle of least privilege described in the Security Posture statement at /legal/security. Termination procedures revoke access at or before the end of the last working hour. Access rights are reviewed quarterly.

7. Physical safeguards

Facility access controls limit physical access to Hydor Health facilities and to the facilities of cloud service providers that host Hydor Health systems. Visitor access to offices is logged and escorted. Cloud provider facility controls are documented in the provider audit reports (SOC 2 Type II, ISO 27001, FedRAMP where applicable), reviewed annually by the CISO, and recorded in the Vendor Risk register.

Workstation policies require devices to be locked when unattended, full-disk encrypted, managed through corporate MDM, and patched within the windows defined by the Vulnerability Management standard. Workforce members are prohibited from storing PHI on local drives outside designated, encrypted paths.

Device and media controls govern the receipt, removal, and disposal of hardware and electronic media containing PHI. Disposal follows NIST SP 800-88 Rev. 1 sanitization guidance. Media reuse requires sanitization to the applicable level (clear, purge, or destroy) before transfer. Disposal events are logged and retained for the period required by the applicable BAA.

8. Technical safeguards

Access control. Every workforce identity is unique. Group accounts are prohibited. Automatic logoff is enforced at the workstation, application, and privileged access layers. Encryption and decryption are described in Section 9 of the Security Posture statement and are applied to PHI in transit and at rest at the strength required by NIST SP 800-111 and HHS encryption guidance.

Audit controls. Hardware, software, and procedural mechanisms record and examine activity in systems that contain or use PHI. Audit logs are integrity-protected, retained for the period required by the applicable BAA (and in any event for no less than six years from creation or the date when last in effect, whichever is later), and reviewed on a documented cadence.

Integrity controls protect PHI from improper alteration or destruction through cryptographic checksums, write-once storage for selected logs, immutable backups, and application-level validation. Person or entity authentication is enforced through phishing-resistant multi-factor authentication on any workforce access path touching PHI. Transmission security uses TLS 1.3 externally and mutually authenticated TLS internally.

9. Breach notification

Hydor Health complies with the breach notification standards of the HITECH Act and the implementing regulations at 45 C.F.R. Subpart D. On discovery of a use or disclosure of PHI not permitted by the BAA, Hydor Health performs the four-factor risk assessment under 45 C.F.R. § 164.402.

Where the assessment concludes a breach has occurred, Hydor Health notifies the affected covered entity without unreasonable delay and in no case later than the timeline required by the BAA and the implementing regulations (in any event no later than sixty calendar days after discovery; most contracts require substantially shorter). The notice includes the information required by 45 C.F.R. § 164.410, including identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed.

Hydor Health coordinates with the covered entity on individual notification, media notification, and notification to the Secretary of HHS where applicable. Where Hydor Health is contractually responsible for direct notification, it executes under the Incident Response Plan. State law breach notification obligations are tracked and satisfied in parallel.

10. Minimum necessary standard

Hydor Health applies the minimum necessary standard required by 45 C.F.R. § 164.502(b) to every use, disclosure, and request for PHI. Requests are scoped to the smallest set required for the intended purpose. Role-based access controls implement the standard at the system layer. Periodic reviews evaluate whether the access granted to each role remains consistent and whether narrowing is appropriate.

Where a covered entity grants Hydor Health access to a PHI data set, Hydor Health filters at ingestion to the fields needed for the contracted service. Where ingestion filtering is not feasible, Hydor Health applies field-level access controls at the application layer and logs every field access against the workforce identity that performed it.

11. Individual rights flow-through

Individuals have rights under the Privacy Rule, including access under 45 C.F.R. § 164.524, amendment under § 164.526, accounting of disclosures under § 164.528, and the right to request restrictions and confidential communications. These rights are exercised through the covered entity that holds the relationship with the individual.

Where Hydor Health holds PHI as a business associate, it supports the covered entity in responding to individual rights requests in a timely manner. The standard response time committed in the Hydor Health BAA template is ten business days from receipt of a properly scoped request, with extensions available where volume or complexity reasonably requires additional time.

12. Audit and accounting of disclosures

Hydor Health maintains an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528 and the applicable BAA. The accounting is generated from the integrity-protected audit log in Section 8 and made available to the covered entity within the timeline committed in the BAA.

The BAA grants independent audit rights to the covered entity. Hydor Health makes its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required by 45 C.F.R. § 164.504(e)(2)(ii)(I). Third-party audit reports (SOC 2 Type II, HITRUST CSF, FedRAMP where applicable) are available to covered entities under non-disclosure on request.

13. Data residency

Hydor Health does not place PHI on any public blockchain, public ledger, or other public chain technology. The prohibition is absolute. Cryptographic anchoring used in connection with PHI is performed against hashes or commitments that do not disclose underlying content.

On-prem deployments preserve data residency at the boundary defined in the BAA and the deployment addendum. PHI is stored, processed, and (where permitted) backed up inside that boundary. Private-cloud deployments preserve residency at the tenant boundary defined in the BAA, the cloud provider MSA, and the cloud provider BAA. Cross-border transfers, where contemplated, are performed only on the lawful basis recorded in the BAA and the data processing addendum.

Federation across nodes is opt-in per cohort and per individual consent. The federation envelope is described in the Hydor OS documentation and governed by signed exchange terms between participating nodes.

14. State laws

Hydor Health operates from Houston, Texas and is subject to the Texas Medical Records Privacy Act, Texas Health & Safety Code Chapter 181, which imposes confidentiality and notification requirements that in some respects exceed federal HIPAA standards. Where the Texas Act imposes a stricter requirement, the stricter requirement applies.

Where Hydor Health processes PHI of individuals located in other states (including California under the CMIA, New York under the SHIELD Act, and Washington under the My Health My Data Act, among others), the stricter of the applicable state and federal requirements applies. Hydor Health maintains a state-law tracker and updates posture as state legislation evolves.

15. Subcontracting

Subcontractors that create, receive, maintain, or transmit PHI on behalf of Hydor Health sign written agreements that flow down the HIPAA obligations of the Hydor Health BAA template, including the safeguards required by the Security Rule, breach notification timelines, and the prohibition on sale or unauthorized use of PHI. Subcontractors that decline to sign are not engaged.

Subcontractor performance is monitored through the Vendor Risk Management standard. Annual due diligence reviews evaluate security posture, audit posture, data residency, and incident history. Material adverse findings trigger remediation, escalation to the Security Committee, or termination.

A current subcontractor list relating to a specific covered entity engagement is available to that covered entity on request through the contact path specified in the BAA. Changes affecting a covered entity are communicated through the same path.

16. Contact for the Privacy Officer and the Security Officer

Privacy Officer: privacy@hydorhealth.com. Security Officer (the CISO): security@hydorhealth.com. Postal correspondence: Hydor Health, Attention: Privacy Officer (or Security Officer, as applicable), Houston, Texas, United States of America.

Covered entities and other business associates discussing a specific engagement should use the contact path specified in the relevant BAA. Inquiries from individuals seeking to exercise Privacy Rule rights will be referred to the covered entity that holds the relationship, consistent with Section 11.

17. Governing law and venue

This Statement and any dispute arising out of or relating to it are governed by the laws of the State of Texas, United States of America, without regard to its conflict-of-laws principles. Federal law applies where preempted or where it otherwise governs, including HIPAA, HITECH, and their implementing regulations. The exclusive venue for any action arising out of or relating to this Statement is the state and federal courts located in Harris County, Texas, and the parties consent to the personal jurisdiction of those courts.

Nothing here creates a third-party beneficiary right or a private right of action that does not otherwise exist by statute. Rights and obligations between Hydor Health and a counterparty are governed by the BAA and the related agreements.