HIPAA Compliance

StreamForma is committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and related regulations governing the privacy and security of Protected Health Information (PHI). This HIPAA Compliance Notice explains Stream Health's role under HIPAA, our obligations, and how we protect health information.

• Physical Safeguards: Controlled access to physical locations, Visitor sign-in procedures, Security cameras and monitoring, Encrypted laptops and mobile devices, Screen privacy filters, Automatic screen lock after inactivity, Secure disposal of documents and media, Inventory of devices containing sensitive information, Secure storage of backup media, Secure data wiping before device disposal, Prohibition of unauthorized removal of devices.
  

• 5. PHI Handling Procedures: We adhere to the Minimum Necessary standard: Access, use, or disclose only the minimum amount of PHI necessary to accomplish the intended purpose. Limit workforce access to PHI based on job roles. Request only necessary information from Covered Entities. PHI may be used or disclosed for: Treatment (facilitating delivery of healthcare services), Payment (billing and reimbursement activities), Healthcare Operations (quality improvement, care coordination, business planning). Stream Health's typical activities involve: Business contact information (not PHI), Aggregated, de-identified statistics (not PHI), Service inquiries and consultations (not PHI). When using health information for marketing or research, we ensure data is de-identified according to HIPAA standards: Expert Determination or Safe Harbor Method (remove 18 specific identifiers including names, geographic subdivisions, dates, telephone numbers, email addresses, SSNs, medical record numbers, account numbers, URLs, IP addresses, biometric identifiers, photographs, and any other unique identifying numbers).
  

Individuals have rights under HIPAA: Right to Access (access their PHI held by Covered Entities - contact the healthcare provider that created the records, request in writing, Covered Entity must respond within 30 days), Right to Amend (request amendments to their PHI if they believe it is inaccurate or incomplete), Right to Accounting of Disclosures (request an accounting of disclosures of their PHI made by Covered Entities in the past 6 years), Right to Request Restrictions (request restrictions on uses and disclosures of their PHI), Right to Confidential Communications (request to receive PHI communications in a specific manner or at a specific location), Right to Notification of Breaches (must be notified of breaches of their unsecured PHI without unreasonable delay, within 60 days). Stream Health's Role: We do not maintain individual patient records. Requests should be directed to your healthcare provider or MedSync Corp.

A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information. We conduct a risk assessment for any impermissible use or disclosure to determine if it constitutes a breach requiring notification. Factors Considered: Nature and extent of PHI involved, Who impermissibly used or disclosed the PHI, Whether PHI was actually acquired or viewed, Extent to which risk has been mitigated. If a Breach Occurs Involving PHI: To Individuals (notify affected individuals within 60 days of discovery via written notice by first-class mail or email), To the Secretary of HHS (breaches affecting 500+ individuals: notify within 60 days; breaches affecting less than 500 individuals: maintain log and submit annual report within 60 days of year-end), To the Media (if 500+ individuals affected: notify prominent media outlets in affected states). If StreamForma discovers a breach involving PHI of a Covered Entity: Notify the Covered Entity within 24 hours of discovery, Provide detailed incident report, Covered Entity is then responsible for notifying affected individuals and authorities. MedSync Corp Breaches: Handled by MedSync Corp in accordance with their HIPAA policies and BAAs with Covered Entities. Contact MedSync Corp: info@medsyncorp.com | Phone: +1 888-668-9087

All StreamForma employees receive:
Initial Training (Upon Hire): HIPAA Privacy Rule overview, HIPAA Security Rule overview, HITECH Act requirements, StreamForma policies and procedures, Role-specific responsibilities, Incident reporting procedures.
Annual Refresher Training: Updates on HIPAA regulations, Lessons learned from incidents, Review of policies and procedures, Case studies and scenarios.
Ongoing Training: Ad-hoc training for new policies or procedures, Training following security incidents, Department-specific training as needed. We maintain records of all training completed.Violations of HIPAA policies may result in:
Minor Violations (verbal or written warning, retraining requirement, supervised access),
Moderate Violations (suspension of access privileges, formal disciplinary action, performance improvement plan),
Severe Violations (termination of employment, referral to law enforcement, civil or criminal penalties).Employees must report: Suspected or actual breaches of PHI, Security incidents, Privacy violations, Lost or stolen devices containing sensitive information.
Report to: Email: privacy@streamforma.co | Phone: +1 888-668-9087 (24/7).StreamForma prohibits retaliation against anyone who reports concerns in good faith.

We reserve the right to modify these Terms at any time, in our sole discretion. We will post updated Terms on this page and update the Last Updated date. For material changes, we will notify you via email (if you have an account) or prominent notice on the Site. Your continued use of the Site or Services after the effective date of modified Terms constitutes your acceptance of the changes. If you do not agree to the modified Terms, you must stop using the Site and Services. Material changes may include: Changes to dispute resolution or arbitration provisions, Changes to limitations of liability, Changes to intellectual property ownership, Changes to data collection or privacy practices. We will provide at least 30 days notice for material changes, except where required by law to implement changes immediately.

We conduct regular internal audits to ensure HIPAA compliance: Audit Schedule: Quarterly (review of access logs and system activity), Semi-Annually (policy and procedure review and update), Annually (comprehensive compliance audit). Audit Scope: Access controls and authentication, Data encryption and transmission security, Incident response and breach procedures, Workforce training and awareness, Business associate compliance, Physical and technical safeguards. All audits are documented and retained for 6 years. We conduct annual risk assessments to identify vulnerabilities: Identify potential threats, Assess likelihood and impact, Prioritize risks based on severity, Mitigate risks by implementing controls, Monitor ongoing risks. Risk Categories: Technical risks (cyberattacks, system failures), Physical risks (theft, natural disasters), Administrative risks (human error, policy gaps), Vendor risks (third-party service provider failures). We engage independent auditors for: SOC 2 Type II audits (conducted by MedSync Corp), HIPAA compliance assessments by qualified professionals, Penetration testing by cybersecurity firms, Vulnerability scans by third-party security vendors.

We review and update our HIPAA policies at least annually, or when: HIPAA regulations change, New threats or vulnerabilities are identified, Significant security incidents occur, Business operations change. Notification of Updates: Updated policies posted on streamhealth.co/hipaa, Workforce notified via email and training, Last Updated date revised at top of this page. We monitor changes to: HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, State privacy laws, HHS guidance and enforcement actions. Compliance with New Regulations: Assess impact of new regulations on our operations, Update policies and procedures as needed, Provide additional training to workforce, Communicate changes to business associates and partners.

HIPAA Privacy Officer: For questions, concerns, or complaints regarding HIPAA compliance or privacy practices: StreamForma, Costa Mesa, CA 92626, United States | Email: privacy@streamforma.co | Phone: +1 888-668-9087 | Business Hours: Monday-Friday, 8:00 AM - 6:00 PM Pacific Time.HIPAA Security Officer: For questions about security safeguards, technical controls, or security incidents: StreamForma, Costa Mesa, CA 92626, United States | Email: security@streamforma.co | Phone: +1 888-668-9087.Filing a

Complaint: If you believe your privacy rights have been violated, you may file a complaint
With StreamForma: Email: privacy@streamforma.co | Phone: +1 888-668-9087 | Mail: StreamForma, Attn: HIPAA Privacy Officer, Costa Mesa, CA 92626.
‍
With the U.S. Department of Health and Human Services (HHS): Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201 | Phone: 1-877-696-6775 | Website: www.hhs.gov/ocr/privacy/hipaa/complaints/.No Retaliation: You will not be retaliated against for filing a complaint.Effective Date: October 8, 2025 | Version: 1.0 | StreamForma HIPAA Compliance Notice - © 2025 StreamForma. All rights reserved.

Before filing a claim, you agree to attempt to resolve disputes informally by contacting us: Email: legal@streamforma.co | Phone: +1 888-668-9087 | Address: StreamForma, Costa Mesa, CA 92626. Send a written description of the dispute, including your contact information and desired resolution. We will respond within 30 days with a proposed resolution. Both parties will negotiate in good faith for 60 days to resolve the dispute.If informal resolution fails, you agree that disputes will be resolved by binding arbitration rather than in court, except: Small claims court actions (claims under $10,000), Actions to enforce intellectual property rights, Actions for injunctive or equitable relief. Arbitration will be conducted under the Commercial Arbitration Rules of the American Arbitration Association (AAA), available at www.adr.org. Arbitration will take place in Orange County, California or another mutually agreed location.YOU AND STREAMFORMA AGREE THAT DISPUTES WILL BE RESOLVED ON AN INDIVIDUAL BASIS ONLY. You waive any right to participate in a class action lawsuit, participate in a class-wide arbitration, act as a private attorney general, or bring claims on behalf of others. TO THE FULLEST EXTENT PERMITTED BY LAW, YOU AND STREAMFORMA WAIVE THE RIGHT TO A JURY TRIAL.You may opt out of arbitration by sending written notice within 30 days of first using the Site to: StreamForma, Attn: Arbitration Opt-Out, Costa Mesa, CA 92626 | Email: legal@streamforma.co

These Terms and any disputes arising from or relating to the Site or Services are governed by: The laws of the State of California, Federal laws of the United States, Without regard to conflict of law principles. For claims not subject to arbitration, you agree that: Exclusive jurisdiction lies with the state and federal courts located in Orange County, California, You consent to personal jurisdiction in these courts, You waive any objection to venue in these courts. If you access the Site from outside the United States, you are responsible for compliance with local laws. You consent to having your data transferred to and processed in the United States.

Entire Agreement: These Terms, together with our Privacy Policy and any other policies referenced herein, constitute the entire agreement between you and StreamForma regarding the Site and Services. These Terms supersede all prior agreements, understandings, or communications (whether oral or written) between you and StreamForma.Severability: If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the invalid provision will be modified to the minimum extent necessary to make it valid and enforceable. If modification is not possible, the provision will be severed from these Terms. The remaining provisions will remain in full force and effect.Waiver: Our failure to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision. A waiver of any provision must be in writing and signed by an authorized representative of StreamForma.Assignment: You may not assign or transfer these Terms or any rights or obligations hereunder without our prior written consent. We may assign these Terms to any party at any time without notice or consent, including in connection with a merger, acquisition, or sale of assets.No Third-Party Beneficiaries: These Terms are solely for the benefit of you and StreamForma (and MedSync Corp to the extent referenced herein). No third parties have any rights to enforce these Terms or claim any benefit under them.Force Majeure: We are not liable for any failure or delay in performance due to causes beyond our reasonable control, including: Acts of God (natural disasters, pandemics, etc.), War, terrorism, or civil unrest, Government actions or regulations, Internet or telecommunications failures, Strikes, labor disputes, or supplier failures, Cyberattacks or hacking incidents.Survival: The following provisions survive termination of these Terms: Intellectual Property Rights (Section 5), Disclaimers and Limitations of Liability (Section 7), Indemnification (Section 8), Dispute Resolution and Arbitration (Section 12), Governing Law (Section 13), General Provisions (Section 15).

For questions, concerns, or notices regarding these Terms, contact us: StreamForma Legal Department | Mailing Address: StreamForma, Attn: Legal Department, Costa Mesa, CA 92626, United States | Email: legal@streamforma.co | Phone: +1 888-668-9087 | Business Hours: Monday-Friday, 8:00 AM - 6:00 PM Pacific Time | For general inquiries: Email: info@streamforma.co | Phone: +1 888-668-9087 | For privacy-related inquiries: Email: privacy@streamforma.co | For HIPAA-related inquiries: Email: privacy@streamforma.co | Subject: HIPAA Inquiry | We will respond to all inquiries within 10 business days. Effective Date: October 8, 2025 | Version: 1.0 | StreamForma Terms of Use - © 2025 StreamForma. All rights reserved. By using our Site and Services, you acknowledge that you have read, understood, and agree to be bound by these Terms of Use.