HIPAA Compliance

Hakim is designed to be HIPAA compliant, implementing administrative, physical, and technical safeguards to protect the privacy and security of Protected Health Information (PHI). We understand the critical importance of maintaining patient confidentiality and securing sensitive health data.

PHI includes any individually identifiable health information transmitted or maintained in any form. This includes: • Patient medical records and histories • Diagnoses and treatment plans • Prescription information • Lab results and medical imaging • Insurance and billing information • Any other health-related data linked to an individual

We implement comprehensive administrative policies including: • Security Management Process: Regular risk assessments and mitigation strategies • Workforce Training: All staff receive HIPAA compliance training • Access Controls: Role-based access to PHI on a need-to-know basis • Incident Response: Documented procedures for security breaches • Business Associate Agreements: All third-party vendors handling PHI are HIPAA compliant

Physical security measures include: • Secure data centers with 24/7 monitoring • Access controls to facilities housing PHI • Workstation security protocols • Secure disposal of physical records • Device and media controls

Technical security measures include: • Encryption: All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256) • Access Controls: Multi-factor authentication and unique user IDs • Audit Logging: Comprehensive tracking of all PHI access and modifications • Integrity Controls: Mechanisms to ensure PHI is not altered or destroyed improperly • Transmission Security: Secure protocols for all data transmission • Automatic Logout: Sessions timeout after periods of inactivity

You have the right to: • Access your medical records and health information • Request corrections to your PHI • Receive an accounting of PHI disclosures • Request restrictions on PHI use and disclosure • Request confidential communications • Receive a paper copy of our privacy practices • File a complaint if you believe your privacy rights have been violated

We may use and disclose PHI without authorization for: • Treatment: Providing, coordinating, or managing healthcare • Payment: Billing and payment activities • Healthcare Operations: Quality improvement and administrative functions • Legal Requirements: When required by law • Public Health Activities: Disease reporting and prevention • Emergency Situations: To prevent serious harm

We limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose. Access to PHI is restricted based on job roles and responsibilities.

All third-party service providers with access to PHI: • Sign Business Associate Agreements (BAAs) • Implement appropriate safeguards • Report security incidents promptly • Return or destroy PHI upon contract termination Our current business associates include secure cloud hosting providers, payment processors, and communication platforms.

In the event of a breach of unsecured PHI, we will: • Notify affected individuals within 60 days • Provide details about the breach and mitigation steps • Report to the Department of Health and Human Services (HHS) if required • Notify media if breach affects more than 500 individuals • Document all breaches and response actions

We maintain medical records for the legally required period (minimum 7 years in Ethiopia). Upon expiration: • PHI is securely destroyed using certified methods • Electronic data is cryptographically wiped • Physical records are shredded • Disposal is documented and audited

For telehealth consultations: • Video calls use end-to-end encryption • Chat messages are encrypted and stored securely • Screen sharing is controlled and monitored • Sessions are conducted in private, secure locations • Recording only occurs with explicit patient consent

Our mobile apps implement: • Biometric authentication (fingerprint/face ID) • Secure local storage with encryption • Certificate pinning to prevent man-in-the-middle attacks • Regular security updates • Remote wipe capability for lost devices

All workforce members receive: • Initial HIPAA training upon hire • Annual refresher training • Specific role-based security training • Updates on policy changes • Incident response drills

We continuously monitor compliance through: • Regular internal audits • Automated security scanning • Penetration testing • Risk assessments • Third-party security audits • User access reviews

In addition to HIPAA standards, we comply with Ethiopian healthcare regulations including: • Ethiopian Food and Drug Administration (EFDA) guidelines • Ministry of Health data protection requirements • Ethiopian Medical Council professional standards • Local privacy and data protection laws

To help us maintain HIPAA compliance: • Keep your login credentials confidential • Use strong, unique passwords • Enable two-factor authentication • Log out after each session • Report suspicious activity immediately • Ensure device security (screen lock, antivirus) • Do not share your account with others

If you have questions about our HIPAA compliance or believe your privacy rights have been violated: Privacy Officer Hakim Telehealth Platform Email: [email protected] Phone: +251-XXX-XXXX You may also file a complaint with: U.S. Department of Health and Human Services Office for Civil Rights Website: www.hhs.gov/ocr/privacy/hipaa/complaints

We may update this HIPAA compliance policy to reflect: • Changes in regulations • New security technologies • Organizational changes • Lessons from security incidents Material changes will be communicated to users via email and in-app notifications.

For HIPAA-related inquiries: HIPAA Compliance Officer Hakim Telehealth Platform Addis Ababa, Ethiopia Email: [email protected] Phone: +251-XXX-XXXX Website: www.hakimet.com Office Hours: Monday - Friday, 9:00 AM - 5:00 PM EAT