HIPAA Compliance Statement

MDRXResolve LLC is a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 C.F.R. § 160.103, and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). As a Business Associate, we receive, create, maintain, and transmit Protected Health Information ("PHI") on behalf of Covered Entities solely for the purpose of providing private mediation platform services.

We are not a Covered Entity. We do not provide medical treatment, health plan administration, or healthcare clearinghouse services. Our HIPAA obligations arise exclusively from our status as a Business Associate and are governed by the Business Associate Agreements ("BAAs") we execute with each Covered Entity client and by the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E), Security Rule (45 C.F.R. Part 164, Subparts A and C), and Breach Notification Rule (45 C.F.R. Part 164, Subpart D), as amended by HITECH.

Before any PHI is transmitted to or processed by the Platform, we require each Covered Entity client to execute a Business Associate Agreement with MDRXResolve LLC. The BAA:

• Specifies the permitted uses and disclosures of PHI by MDRXResolve
• Establishes our obligations to safeguard PHI consistent with the HIPAA Security Rule
• Requires us to report breaches of unsecured PHI to the Covered Entity
• Requires us to impose the same obligations on any subcontractor that creates, receives, maintains, or transmits PHI on our behalf
• Governs the return or destruction of PHI upon termination of the agreement

Organizations that wish to use MDRXResolve and qualify as Covered Entities must execute a BAA before uploading or transmitting any PHI through the Platform. The Platform includes a BAA workflow that must be completed and digitally signed by an authorized representative before dispute filing is enabled.

In the course of facilitating healthcare business and employment dispute mediation, PHI on the Platform may include, but is not limited to:

• Names, dates, contact information, and other direct identifiers of individuals referenced in a dispute
• Medical record numbers, health plan beneficiary numbers, or account numbers associated with a dispute
• Clinical notes, treatment records, diagnoses, or procedure information submitted as dispute exhibits
• Billing records, remittance data, claim information, or coding documentation relevant to a dispute
• Employment records that intersect with individually identifiable health information
• Any other information that meets the definition of PHI under 45 C.F.R. § 160.103

We access and process PHI only to the minimum extent necessary to provide the services described in the applicable BAA, consistent with the HIPAA minimum-necessary standard (45 C.F.R. § 164.514(d)).

MDRXResolve uses and discloses PHI only as permitted or required by the applicable BAA and HIPAA. Permitted uses include:

• Providing mediation platform services — case intake, document management, mediator assignment, scheduling, and secure communications — to the Covered Entity
• Proper management and administration of MDRXResolve's operations, to the extent permitted by 45 C.F.R. § 164.504(e)(4)
• Reporting violations of law to appropriate government authorities, as required by 45 C.F.R. § 164.504(e)(2)(ii)(C)
• Disclosures required by law, including response to valid legal process, court orders, or government investigations

We do not: use or disclose PHI for marketing or advertising, sell PHI, use PHI for our own independent purposes unrelated to the services described in a BAA, or disclose PHI in any manner not authorized under HIPAA and the applicable BAA.

MDRXResolve maintains the following administrative safeguards consistent with 45 C.F.R. § 164.308:

• A designated Security Officer responsible for developing and implementing our security policies and procedures
• A formal risk analysis and risk management program to identify, assess, and mitigate risks to the confidentiality, integrity, and availability of PHI
• Workforce access controls: role-based permissions limiting PHI access to personnel whose job functions require it
• Workforce security training on HIPAA obligations and information security practices
• A documented security incident and breach response procedure
• Periodic evaluation of security policies to address changes in our environment and operations
• Contractual controls requiring downstream subcontractors to comply with HIPAA Business Associate obligations

MDRXResolve implements the following technical safeguards consistent with 45 C.F.R. § 164.312:

• Encryption at rest: AES-256-GCM encryption for all stored data, including dispute records and documents, using an envelope encryption model: Platform Master Key → Organization Key Encryption Key (stored in Azure Key Vault) → per-record Data Encryption Key.
• Encryption in transit: TLS 1.2 or higher for all data transmitted between clients and the Platform and between the Platform and its infrastructure components.
• Access controls: Unique user identification, automatic session timeouts, and role-based permissions ensuring users can access only the case information they are authorized to view.
• Multi-factor authentication: TOTP-based MFA required for user accounts; Microsoft SSO with MFA enforcement where applicable.
• Audit controls: Comprehensive audit logs recording all access, creation, modification, and deletion events related to PHI-containing records, with tamper-evident logging.
• Integrity controls: Cryptographic hashing and access controls to prevent unauthorized alteration of PHI.

PHI stored and processed on the Platform resides within Microsoft Azure cloud infrastructure. Microsoft Azure maintains comprehensive physical safeguards consistent with 45 C.F.R. § 164.310, including controlled facility access, environmental controls, and equipment disposal procedures. MDRXResolve has no direct access to Azure data center physical infrastructure; all physical security is managed by Microsoft under its Azure HIPAA BAA.

MDRXResolve personnel access the Platform exclusively through authenticated, encrypted connections. Workstation security policies require device encryption and screen lock for any device used to access PHI.

In the event of a Breach of Unsecured PHI, as defined under 45 C.F.R. § 164.402, MDRXResolve will:

• Notify the affected Covered Entity without unreasonable delay and no later than sixty (60) calendar days after discovery of the Breach, consistent with 45 C.F.R. § 164.410
• Include in the notification: the date of the Breach (if known), the date of discovery, a description of the PHI involved, a description of what occurred, a description of steps taken to mitigate harm, and a description of steps taken to prevent future breaches
• Cooperate with the Covered Entity's breach response, including providing any information reasonably necessary for the Covered Entity to fulfill its own notification obligations to affected individuals, the HHS Secretary, and the media as required by 45 C.F.R. §§ 164.404–164.408

Covered Entities retain responsibility for notifying affected individuals, the Secretary of Health and Human Services, and, where applicable, prominent media outlets, in accordance with the HIPAA Breach Notification Rule.

Any subcontractor or agent engaged by MDRXResolve who creates, receives, maintains, or transmits PHI on our behalf is required to execute a Business Associate Agreement with MDRXResolve LLC before accessing any PHI. Such subcontractors are contractually bound to comply with all applicable HIPAA Privacy Rule and Security Rule requirements.

Current infrastructure subcontractors that may process PHI include:

• Microsoft Azure — cloud computing, storage, and Azure Key Vault key management (covered under Microsoft's HIPAA BAA)
• Neon — managed PostgreSQL database hosting
• Resend — transactional email delivery (used for notifications; email content is limited to what is necessary for the service)

PHI is retained for three (3) years following closure of the applicable dispute or termination of the governing BAA, whichever is later, unless the BAA specifies a different period or applicable law requires longer retention.

Upon expiration of the retention period, PHI is securely destroyed using methods that render it unrecoverable, including cryptographic erasure (destruction of encryption keys) for data stored in encrypted form, consistent with NIST SP 800-88 guidelines.

Where return or destruction of PHI is not feasible upon termination of a BAA, MDRXResolve will extend protections over PHI for as long as it is retained and will limit further use or disclosure to those purposes that make return or destruction infeasible, consistent with 45 C.F.R. § 164.504(e)(2)(ii)(J).

As a Business Associate, MDRXResolve does not independently fulfill HIPAA individual rights requests. Individuals seeking to exercise their rights under the HIPAA Privacy Rule — including the right of access (45 C.F.R. § 164.524), the right to amendment (45 C.F.R. § 164.526), or the right to an accounting of disclosures (45 C.F.R. § 164.528) — must direct those requests to the applicable Covered Entity.

MDRXResolve will assist Covered Entities in fulfilling individual rights requests as required by the applicable BAA and HIPAA.

To report a potential HIPAA violation, a suspected breach of PHI, or for any HIPAA-related inquiries, please contact:

We treat all HIPAA-related reports as high-priority and will acknowledge receipt within two (2) business days.