HIPAA Notice of Privacy Practices

Tendara Health, Inc. is a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. We process Protected Health Information (PHI) solely on behalf of healthcare facilities — known as Covered Entities — that use our care management platform.

As a Business Associate, we do not provide direct care to patients or residents and do not have a direct treatment relationship with individuals whose PHI we process. We do not make independent decisions about how your PHI is used — those decisions are made by your healthcare facility in accordance with their own HIPAA obligations and Notice of Privacy Practices.

All rights that patients and residents have with respect to their PHI held in Tendara must be exercised through the healthcare facility (Covered Entity) responsible for that PHI. Contact your facility's privacy officer or administrator to exercise your HIPAA rights.

Protected Health Information (PHI) is any information that (a) relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare to that individual, or payment for healthcare; and (b) could reasonably be used to identify the individual.

PHI stored in Tendara may include, but is not limited to:

• Resident names, dates of birth, and Social Security numbers
• Home addresses, phone numbers, and email addresses
• Admission and discharge dates
• Diagnosis codes (ICD-10), procedure codes, and clinical notes
• Medication records, allergy lists, and treatment plans
• Physician and care team assignments
• Insurance and billing information
• Any other individually identifiable health information uploaded to the platform by facility staff

Electronic PHI (ePHI) refers to PHI that is created, received, maintained, or transmitted in electronic form — which covers all data stored or processed within the Tendara platform.

We use and disclose PHI only as permitted by our Business Associate Agreement (BAA) with your facility and as allowed or required by HIPAA. Our permitted uses and disclosures include:

• Platform operation: Storing, processing, and displaying PHI to authorized facility staff through the Tendara platform in connection with resident care management.
• Treatment coordination and operations: Supporting care coordination, billing, and healthcare operations as directed by the Covered Entity and consistent with your facility's privacy practices.
• Internal operations: Limited access by authorized Tendara technical and support staff for purposes of security monitoring, system maintenance, and customer support. All such access is governed by strict confidentiality requirements and is logged.
• Legal requirements: We may disclose PHI when required by applicable law, valid court order or subpoena, or government oversight activities permitted by HIPAA. We will notify your facility to the extent permitted before such disclosure.

We will never use or disclose PHI for marketing purposes, sell PHI to any third party, or use PHI in a way that is inconsistent with the BAA between us and your facility.

We maintain comprehensive administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of ePHI in accordance with the HIPAA Security Rule.

Administrative safeguards

• Designated HIPAA Security and Privacy Officers responsible for our compliance program
• Mandatory HIPAA security awareness training for all employees upon hire and annually thereafter
• Role-based access policies ensuring workforce members access only the PHI necessary for their job function
• Documented risk analysis and risk management program reviewed annually
• Business continuity and disaster recovery plans tested semi-annually

Physical safeguards

• All data is hosted in AWS data centers with SOC 2 Type II, ISO 27001, and FedRAMP authorization
• Physical access to data center facilities is restricted and monitored 24/7 with biometric controls and video surveillance
• Workstation security policies for all employees, including full-disk encryption and automatic screen lock

Technical safeguards

• AES-256 encryption for all ePHI at rest; AWS KMS for key management with annual key rotation
• TLS 1.3 encryption for all ePHI in transit
• Comprehensive audit logging of all PHI access events, including user, timestamp, action, and record accessed
• Role-based access controls with principle of least privilege enforced at the application and database level
• Automatic session timeout after 15 minutes of inactivity (configurable by facility administrators)
• Multi-factor authentication required for all platform access
• Intrusion detection and prevention systems with real-time alerting

Under HIPAA, patients and residents have specific rights with respect to their Protected Health Information. Because Tendara acts as a Business Associate — not a Covered Entity — these rights must be exercised through your healthcare facility, not directly through Tendara.

Your HIPAA rights include:

• Right of access: The right to inspect and obtain a copy of your PHI held by your healthcare facility.
• Right to amend: The right to request correction of inaccurate or incomplete PHI.
• Right to an accounting of disclosures: The right to receive a list of certain disclosures of your PHI made in the prior six years.
• Right to request restrictions: The right to request that certain uses and disclosures of your PHI be restricted (though the facility is not always required to agree).
• Right to confidential communications: The right to receive communications about your PHI by alternative means or at an alternative location.

To exercise any of these rights, contact your facility's Privacy Officer or Administrator. Your facility is responsible for facilitating these requests in accordance with HIPAA requirements. Tendara will support your facility in fulfilling any valid PHI access requests we receive.

In the event of a confirmed or reasonably suspected breach of unsecured PHI, Tendara will notify the affected healthcare facility (Covered Entity) within 72 hours of discovery of the breach, in accordance with the HITECH Act Breach Notification Rule and our Business Associate Agreement.

Our breach notification to your facility will include:

• A description of what happened, including the date of the breach and the date of discovery
• The types of PHI involved (e.g., names, dates, diagnosis codes, medication lists)
• The number of individuals whose PHI was involved, to the extent known
• Steps Tendara has taken or is taking to investigate, mitigate harm, and prevent future breaches
• Contact information for Tendara's HIPAA Compliance Officer and incident response team

Upon receiving breach notification from Tendara, your facility is responsible for notifying affected individuals and, where applicable, the Secretary of Health and Human Services (HHS) and media outlets, in accordance with the HIPAA Breach Notification Rule within 60 days of discovery.

To report a suspected security incident or breach, contact our security team immediately at jimish2104gajjar@gmail.com.

All healthcare facilities using Tendara are required to execute a Business Associate Agreement (BAA) with Tendara Health, Inc. before any PHI may be entered into or processed by the platform. This is a HIPAA requirement and a condition of service.

Our standard BAA covers the following:

• The permitted uses and disclosures of PHI by Tendara as a Business Associate
• Our obligations to implement appropriate safeguards to protect PHI
• Our obligations with respect to breach notification and incident response
• Provisions governing sub-contractors who access PHI on our behalf (downstream Business Associates)
• Obligations upon termination, including return or destruction of PHI

Our BAA is provided as part of the standard Enterprise subscription onboarding process. To request a copy of our BAA or to initiate the BAA execution process, contact jimish2104gajjar@gmail.com. The executed BAA governs our obligations as a Business Associate and supersedes this Notice where the two conflict.

For HIPAA-related inquiries, please contact:

• HIPAA Compliance Officer: jimish2104gajjar@gmail.com
• Security incidents and breach reports: jimish2104gajjar@gmail.com (24/7 monitored)
• BAA execution and sales inquiries: jimish2104gajjar@gmail.com
• Mailing address: Tendara Health, Inc. — HIPAA Compliance Officer, 535 Mission St, Suite 1400, San Francisco, CA 94105