HIPAA Notice

1. Our HIPAA Compliance Status

We are transparent about our compliance journey. We do not represent that we have achieved formal HIPAA certification or completed a third-party HIPAA audit at this time. We are committed to achieving and maintaining full compliance and will update this notice as our compliance posture evolves.

2. What Constitutes PHI in Our Services

The following categories of data collected or processed through the Services may constitute Protected Health Information under HIPAA:

• Veteran biographical and demographic information when associated with a healthcare facility or care context.
• Health and wellness data collected from wearable devices (heart rate, step counts, sleep data, activity levels).
• Cognitive assessment data generated by Legacy Quest sessions, including performance metrics, difficulty levels, and trend analytics.
• Behavioral and emotional indicators derived from AI conversation analysis, including mood assessments and distress detection signals.
• Location data from the Indoor Positioning System when used in a healthcare facility context.
• Care team notes and clinical observations entered by facility staff through the administrative dashboard.
• Voice recordings captured for the Digital Presence feature when associated with a healthcare context.

3. How We Protect PHI

3.1 Administrative Safeguards

• Designated privacy and security officer responsible for HIPAA compliance oversight.
• Workforce training on PHI handling, privacy requirements, and security awareness.
• Written policies and procedures for PHI access, use, disclosure, and breach notification.
• Regular risk assessments to identify and mitigate threats to PHI.
• Sanctions for workforce members who violate PHI handling policies.
• Business Associate Agreements with all third-party service providers who may access PHI.

3.2 Technical Safeguards

• Encryption: All PHI encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) ensuring workforce members access only the minimum PHI necessary for their role.
• Unique User Identification: Each user has a unique identifier for authentication and audit tracking.
• Automatic Logoff: Sessions automatically expire after periods of inactivity.
• Audit Controls: Complete audit trail of all PHI access, creation, modification, and deletion. Audit logs are immutable and retained per our retention schedule.
• Integrity Controls: Mechanisms to ensure PHI is not improperly altered or destroyed.
• Transmission Security: All data transmitted over public networks is encrypted. API endpoints are authenticated and rate-limited.

3.3 Physical Safeguards

• Infrastructure hosted on cloud platforms (AWS/Supabase) with SOC 2 Type II certified data centers.
• Facility access controls at data center locations managed by our infrastructure providers.
• Workstation use policies for workforce members who access PHI.
• Device and media controls for hardware containing PHI.

4. AI Processing and PHI

• No Model Training on PHI: PHI is never used to train, fine-tune, or improve AI models. This applies to all AI providers used by the Services, including Anthropic (Claude) and Google (Gemini).
• Data Processing Agreements: We maintain data processing agreements with our AI providers that contractually prohibit the use of input data for model training and require prompt deletion of processed data.
• Minimum Necessary Standard: AI processing requests include only the minimum PHI necessary to generate the requested output. We de-identify data where feasible before AI processing.
• No Persistent Storage by AI Providers: We select AI providers and configurations that do not persist input or output data beyond the immediate processing session.

5. Uses and Disclosures of PHI

We may use or disclose PHI in the following circumstances:

• Treatment: To provide, coordinate, or manage services for the veteran, including sharing with authorized care team members.
• Healthcare Operations: For quality assessment, training, clinical reporting, and service improvement within the facility context.
• With Authorization: For purposes beyond treatment and operations, we obtain written authorization from the veteran, their legal representative, or the facility as required.
• Family Engagement: PHI is shared with family members only as authorized by the veteran, their legal representative, or the facility in accordance with applicable consent protocols.
• As Required by Law: When required by federal, state, or local law, court order, or government investigation.
• To Avert a Serious Threat: When necessary to prevent a serious and imminent threat to the health or safety of a person or the public, including referral to emergency services or the Veterans Crisis Line.
• Breach Notification: In the event of a breach of unsecured PHI, we will notify affected individuals, the facility, and the Department of Health and Human Services as required by the HIPAA Breach Notification Rule.

6. Individual Rights Regarding PHI

Veterans (or their authorized representatives) have the following rights regarding their PHI:

• Right to Access: You may request access to and obtain a copy of your PHI that we maintain. We will respond within 30 days of receiving your request.
• Right to Amend: You may request an amendment to your PHI if you believe it is inaccurate or incomplete. We may deny the request under certain circumstances and will provide a written explanation for any denial.
• Right to an Accounting of Disclosures: You may request a list of certain disclosures of your PHI that we have made.
• Right to Request Restrictions: You may request that we restrict certain uses or disclosures of your PHI. We are not required to agree to all restriction requests but will honor reasonable requests where feasible.
• Right to Request Confidential Communications: You may request that we communicate with you about PHI through specific means or at specific locations.
• Right to a Copy of This Notice: You may request a paper or electronic copy of this notice at any time.
• Right to Data Deletion: You may request complete deletion of your PHI from our systems. Upon verified request, we will perform a comprehensive deletion of all associated data. Certain audit records required by law may be retained in accordance with applicable retention schedules.

7. Breach Notification

In the event of a breach of unsecured PHI, KindredLink will:

• Notify affected individuals without unreasonable delay and no later than 60 days following discovery of the breach.
• Notify the covered entity (VA facility or care organization) immediately upon discovery of a breach involving their residents' PHI.
• Notify the U.S. Department of Health and Human Services (HHS) as required by the HIPAA Breach Notification Rule — within 60 days for breaches affecting 500 or more individuals, or annually for smaller breaches.
• Provide breach notifications that include: a description of the breach, the types of PHI involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

8. Business Associate Obligations

When KindredLink acts as a Business Associate to a Covered Entity (such as a VA medical center or healthcare facility), we will:

• Execute a Business Associate Agreement (BAA) with the Covered Entity before accessing or processing PHI on their behalf.
• Use and disclose PHI only as permitted by the BAA and applicable law.
• Implement safeguards to prevent unauthorized use or disclosure of PHI.
• Report any security incidents or breaches to the Covered Entity.
• Make PHI available to the Covered Entity to fulfill its obligations to individuals under HIPAA.
• Ensure that any subcontractors who access PHI agree to the same restrictions and conditions.
• Return or destroy PHI upon termination of the BAA, as specified in the agreement.

9. Minimum Necessary Standard

KindredLink applies the HIPAA minimum necessary standard to all uses, disclosures, and requests for PHI. We make reasonable efforts to limit PHI access to the minimum amount necessary to accomplish the intended purpose. Role-based access controls ensure that each user category (care team member, family member, administrator) can access only the PHI relevant to their authorized role.

10. Data Retention

• We retain PHI for as long as necessary to provide the Services and comply with our legal and contractual obligations.
• HIPAA requires that we retain documentation of our privacy policies and procedures, and related communications, for at least six (6) years from the date of their creation or the date when they were last in effect, whichever is later.
• Audit logs related to PHI access are retained for a minimum of six (6) years.
• Upon account termination or data deletion request, PHI is permanently deleted from active systems within 30 days and from backups within 90 days, except for records required to be retained by law.

11. Complaints

If you believe your privacy rights have been violated, you may:

• File a complaint with KindredLink at privacy@kindredlink.ai.
• File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/ocr/privacy/hipaa/complaints.

We will not retaliate against you for filing a complaint.

12. Changes to This Notice

We reserve the right to change this notice and make the revised notice effective for PHI we already hold as well as PHI we receive in the future. We will post the revised notice on our website with a new effective date. Material changes will be communicated to facility partners and registered users.

13. Contact Information

For questions or concerns about this HIPAA Notice or our privacy practices, contact: