HIPAA Privacy and Security Policy

1. Our Role and Responsibilities

NuBridgeMD functions as a Business Associate under HIPAA for Covered Entities (e.g., NPs, PAs, and MDs) who are our platform subscribers to manage care. We do not practice medicine or provide clinical care. Our services support collaborations, documentation, and communication between healthcare providers.

We agree to:

• Safeguard PHI received or created on behalf of our users
• Only use or disclose PHI for purposes authorized by our users or as required by law
• Enter into Business Associate Agreements (BAAs) with Covered Entities upon request

2. Protected Health Information (PHI)

PHI includes any information related to a patient’s health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual and is transmitted or maintained electronically or otherwise.

Examples includes:

• Patient names
• Dates of birth
• Medical record numbers
• Diagnosis or treatment information
• Billing and payment information

3. How We Protect PHI

NuBridgeMD maintains appropriate administrative, physical, and technical safeguards to protect PHI, including:

A. Technical Safeguards

• Encrypted transmission of data using SSL/TLS protocols
• Secure cloud storage and database systems
• Multi-factor authentication (MFA) for user access
• Role-based access controls for internal personnel

B. Administrative Safeguards

• HIPAA training for NuBridgeMD personnel with access to PHI
• Regular audits of access logs and usage patterns
• Written policies and procedures regarding privacy and security
• Incident response protocols for breach detection and notification

C. Physical Safeguards

• Restricted physical access to systems and servers
• Secure disposal of physical or electronic media containing PHI

4. User Responsibilities

As a platform for licensed healthcare providers, NuBridgeMD expects all users (NPs, PAs, MDs) to:

• Use the platform only for lawful, HIPAA-compliant purposes
• Not share login credentials or allow unauthorized access
• Log out of the system when not in use
• Report any known or suspected breach of PHI to NuBridgeMD immediately

5. Breach Notification Policy

In the event of a security/breach incident, use, or disclosure of PHI:

• NuBridgeMD will conduct a risk assessment to determine the nature and extent of the breach
• Affected parties and the Department of Health and Human Services (HHS) will be notified in accordance with HIPAA Breach Notification Rules
• Users will receive timely updates regarding mitigation steps and corrective actions

6. Business Associate Agreements (BAA)

NuBridgeMD enters into Business Associate Agreements with Covered Entities to clarify roles, responsibilities, and obligations regarding PHI. These agreements outline:

• Permitted uses and disclosures
• Required safeguards
• Reporting obligations in the event of a breach

7. Data Retention and Destruction

We retain PHI only as long as necessary to fulfill legal, operational, and regulatory requirements. Upon termination of a user relationship, NuBridgeMD will:

• Return or securely destroy PHI, as requested, unless retention is required by law
• Provide confirmation of destruction upon request

8. Patient Rights

Although NuBridgeMD is not a Covered Entity, we support our users' efforts to fulfill patients' HIPAA rights, including:

• The right to access their health information
• The right to request corrections
• The right to an accounting of disclosures

9. Policy Updates

This HIPAA Policy will be updated periodically to reflect changes in technology, regulation, or service scope. Any updates will be posted with the revised effective date. Continued use of our services after updates constitutes acceptance.

10. Contact Information

For questions about our HIPAA Privacy and Security Policy, please contact our Privacy Officer at:

• NubridgeMD, LLC
• 6302 W Broadway St, Suite 130, Pearland, TX 77581
• Email: privacy@nubridgemd.com
• Phone: 832-501-0000