Privacy & HIPAA Policy

MyMedAccess Inc. ("we," "our," or "us") operates a consumer-facing personal health record application (the "App" or "Service") that enables adult patients to securely aggregate, view, manage, and share their health information. The App retrieves records from healthcare providers and health plans via FHIR-based APIs and transmits them directly to the user's device. MyMedAccess does not persistently store PHI on its own servers, although limited technical metadata (such as session logs, device identifiers, and authentication credentials) is retained server-side as described in Section 3.3.

This Privacy & HIPAA Policy ("Policy") describes how we collect, use, maintain, disclose, and protect health information. It is intended to satisfy the requirements of:

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and implementing regulations, including the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164);
• The Health Information Technology for Economic and Clinical Health (HITECH) Act;
• The CARIN Alliance Code of Conduct for Consumer-Facing Applications (CARIN-CFA); and
• Applicable state privacy and data protection laws.

In all uses and disclosures of your protected health information, we apply the minimum necessary standard as required by 45 C.F.R. § 164.502(b). Where state law provides greater privacy protections than HIPAA, the more protective standard shall apply.

• Protected Health Information (PHI): Individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or business associate, including diagnosis codes, medication records, lab results, appointment history, and billing information.
• Personal Health Data: Health-related information provided directly by the user, including manually logged symptoms, medications, fitness data, and other self-reported health information. Where such data constitutes PHI, it is treated as such under this Policy.
• FHIR API: Fast Healthcare Interoperability Resources application programming interface, a standard used to retrieve electronic health records from healthcare providers and health plans in accordance with CMS interoperability rules.
• Business Associate: A person or entity that performs functions on behalf of a covered entity involving the use or disclosure of PHI. MyMedAccess enters into Business Associate Agreements (BAAs) with all applicable third-party vendors.
• Designated Record Set (DRS): Medical records and billing records maintained by a covered healthcare provider, and enrollment, payment, and case management records maintained by a health plan, used to make decisions about individuals.

We use the information we collect only for the following purposes:

• Treatment Support: Displaying, organizing, and presenting your health records to you and authorized care team members you designate.
• Healthcare Operations: Supporting administrative and operational functions necessary to provide the Service, including quality and security improvement.
• Communication: Sending you notifications about your documents, provider messages, and important account updates.
• Security: Maintaining audit trails, detecting unauthorized access, and protecting the integrity of your data.
• User-Directed Sharing: Transmitting your health records to third parties you expressly designate (e.g., a specialist or family member), solely at your direction.
• Compliance: Fulfilling our legal obligations under HIPAA, applicable state laws, and valid legal process.
• De-identified Analytics: MyMedAccess does not currently produce de-identified analytics. We reserve the right to do so in the future, subject to compliance with HIPAA de-identification standards (45 C.F.R. § 164.514) and with prior notice to users as required by this Policy.

AI-Assisted Features: MyMedAccess uses artificial intelligence (including large language models via AWS Bedrock) to generate plain-language summaries of laboratory results. This feature is off by default. You must affirmatively opt in through the Privacy & Settings screen before any health data is shared with an AI service. You may opt out at any time. AI-generated summaries are informational only and do not constitute medical advice or clinical decisions. No automated decisions with legal or significant effects are made using AI without your explicit consent.

We do NOT use your PHI or personal health data for:

• Targeted advertising or behavioral marketing
• Sale to third parties for commercial purposes
• Automated decision-making that produces legal or similarly significant effects without your explicit consent
• Re-identification of de-identified data
• Training AI or machine learning models without your explicit opt-in consent

We do not sell, rent, or license your personal health information to any third party for any purpose. We may share your information only in the following limited circumstances:

• With Your Consent: When you explicitly authorize sharing, such as generating a QR code to share records with a provider.
• Third-Party Information in Your Records: When you share health records through the QR sharing flow, information about third parties mentioned in those records — including emergency contacts, family members, or other individuals referenced in clinical notes — may be visible to the receiving provider. Please review the contents of what you are sharing before initiating any transfer.
• Authorized Providers:Healthcare providers you designate through the app's secure sharing features. Authorized providers may upload documents to your health record on your behalf. You will receive an in-app notification for each provider upload and retain full control to review, retain, or delete uploaded documents at any time. You may revoke provider access at any time through the Privacy & Settings screen.
• Business Associates: Contracted vendors and service providers who perform functions on our behalf (e.g., cloud infrastructure, security services) under executed Business Associate Agreements that prohibit any use or disclosure inconsistent with this Policy.
• Legal Requirements: When required by law, court order, or governmental regulation, or to protect the rights, safety, or property of our users and the public. We will notify you of such requests to the extent permitted by law.
• Public Health and Safety: As permitted by HIPAA for public health activities, reporting communicable diseases, or to avert a serious and imminent threat to health or safety.
• De-identified Information: If and when de-identified analytics are produced in the future, aggregate information that does not identify any individual may be shared for research, product improvement, or public health purposes, consistent with HIPAA de-identification standards.

Under HIPAA and applicable law, you have the following rights with respect to your health information:

MyMedAccess implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and industry best practices, including:

• Encryption at rest: AES-256 field-level encryption of all PHI columns in PostgreSQL (pgcrypto). All documents stored in AWS S3 use server-side AES-256 encryption (SSE-AES256).
• Encryption in transit: TLS 1.3 for all data in transit. All API endpoints enforce HTTPS.
• QR Code Security: AES-256-GCM encrypted, single-use, 60-second TTL tokens. No raw PHI in QR payloads.
• Access Controls: Role-based access controls (RBAC) and least-privilege access principles. Multi-factor authentication (MFA) required for all user accounts.
• Audit Logging: Append-only AuditLog with SHA-256 hash chain providing tamper-evident forensic capability. Every PHI access and mutation is logged with user, IP address, device fingerprint, and before/after state.
• Infrastructure: MyMedAccess utilizes HIPAA-eligible cloud infrastructure and implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of user information. Our security program incorporates industry-standard security controls and risk management practices, including encryption, access controls, audit logging, vulnerability management, and incident response procedures. FHIR-retrieved PHI is pass-through only — not persistently stored server-side.
• Risk Management: Regular security risk assessments consistent with 45 C.F.R. § 164.308(a)(1). Formal incident response and breach notification procedures.
• Workforce Training: HIPAA privacy, security, and CARIN Code of Conduct training at onboarding and annually thereafter.

In the event of a breach of unsecured PHI, MyMedAccess will comply with the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D) and the HITECH Act (42 U.S.C. § 17932), including:

• Notifying affected individuals without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach, or such shorter period as required by applicable state law, via email to their registered address and in-app notification;
• Notifying the U.S. Department of Health and Human Services (HHS) as required;
• For breaches affecting 500 or more individuals in a state, notifying prominent media outlets in that state within 60 days;
• Providing a description of the breach, the types of information involved, steps individuals can take to protect themselves, and contact information for further assistance.

To report a suspected security incident or breach, contact us immediately at connect@mymedaccess.io.

MyMedAccess maintains records of the provenance of health data displayed in the App, including the source provider or health plan, the date of retrieval, and any modifications made within the App. We do not alter health data retrieved from provider systems; any notes or annotations are clearly attributed to the user.

We disclaim responsibility for the accuracy of records as maintained by third-party healthcare providers or health plans. If you believe your records contain an error, we will assist you in identifying the correct source and asserting your amendment rights with the applicable covered entity.

MyMedAccess Inc. publishes all current certifications and accreditations on our Trust & Compliance page at mymedaccess.io/trust, including the issuing organization, issue date, and expiration date. Users are notified via in-app announcement when new accreditations are received.

MyMedAccess provides education about your personal data disclosure choices through multiple in-app surfaces:

• Registration: Consent screens present plain-language explanations of what data is collected and how it is used before you agree.
• QR Sharing: The sharing flow explains which data sections are being shared, to whom, and the security characteristics of the token (single-use, 60-second expiry, patient-controlled).
• Settings:The Privacy & Settings screen provides a dedicated help section on your privacy choices, including AI opt-in, marketing preferences, and consent withdrawal, at any time.

For additional guidance on your health data rights, visit: HHS patient rights at hhs.gov/hipaa and CARIN Alliance patient resources at carinalliance.com.

This Policy is designed to comply with, or voluntarily align with, as applicable:

• HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164)
• HIPAA Security Rule (45 C.F.R. Part 164, Subpart C)
• HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D)
• HITECH Act (42 U.S.C. § 17931 et seq.)
• CMS Interoperability and Patient Access Final Rule (85 Fed. Reg. 25510)
• ONC 21st Century Cures Act Final Rule
• CARIN Alliance Code of Conduct for Consumer-Facing Applications
• Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.
• Applicable state health privacy laws

MyMedAccess Inc. has designated Michael Ajay Mangra, Founder and Privacy & Compliance Officer, as the individual publicly accountable for this Policy and applicable law. Users, regulators, the FTC, State Attorneys General, and the public may contact the Privacy Officer directly.

All complaints will be acknowledged within five (5) business days and resolved within 30 days, with escalation procedures for complex matters as described below. Escalation Procedures: Complaints not resolved within 30 days, matters alleging a HIPAA violation, or circumstances requiring regulatory notification are escalated to MyMedAccess's designated HIPAA counsel. Where required by applicable law, the Privacy Officer will notify the U.S. Department of Health and Human Services Office for Civil Rights and any other applicable regulatory authority. We will not retaliate against any individual for filing a complaint.

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr at any time.

For questions, concerns, or requests regarding this Policy or your health information: