HIPAA Business Associate Statement

1. CobiCare's role under HIPAA

CobiCare, Inc. is a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164) and the HIPAA Security Rule. We are not ourselves a Covered Entity.

When a Covered Entity — such as a senior living community, home care agency, or health system — deploys the CobiCare platform, we handle PHI on their behalf as their Business Associate. Before any deployment, CobiCare and the Covered Entity enter into a Business Associate Agreement (BAA) that defines the scope of permitted uses and disclosures of PHI, our security obligations, and our breach notification responsibilities.

2. What PHI we process

The CobiCare platform processes PHI related to individual residents or clients in the care settings where it is deployed. This may include:

• Ambient motion and gait data derived from depth-sensing, associated with an identified individual
• Activity patterns, including room usage, rest periods, and mobility trends
• Health-relevant observations generated by the AI (e.g. gait change alerts, fall-risk indicators)
• Individual identifiers necessary to route insights to the correct care team members

By default, CobiCare uses depth-first sensing rather than RGB photographic imagery. The sensing modality produces point-cloud data representing shape and motion. RGB input is optional, disabled by default, and governed by deployment-specific configuration and agreements. Raw sensor data is processed on the device and is not transmitted to CobiCare infrastructure in identifiable form.

3. Permitted uses and disclosures of PHI

CobiCare uses and discloses PHI only as permitted by the applicable BAA and HIPAA, including:

• Treatment: Delivering insights to care teams to support ongoing care decisions
• Operations: Providing the platform services contracted by the Covered Entity, including system monitoring, maintenance, and support
• As required by law: Responding to valid legal process, government investigations, or regulatory requirements
• For our own operations: Using de-identified or aggregated data (in accordance with 45 CFR §164.514) to improve the platform, subject to BAA restrictions

CobiCare will not use or disclose PHI in any manner that is not permitted under the applicable BAA and HIPAA without the prior written authorisation of the Covered Entity.

4. Safeguards

CobiCare implements administrative, physical, and technical safeguards required by the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic PHI (ePHI):

• On-device processing: Raw depth data is processed locally on the CobiCare Sense device. Identifiable data is not transmitted in raw form.
• Encryption in transit: All data transmitted between the device and CobiCare systems is encrypted using TLS 1.2 or higher.
• Encryption at rest: ePHI stored in CobiCare systems is encrypted at rest using AES-256 or equivalent.
• Access controls: Access to PHI is restricted to personnel with a demonstrated need to know, enforced through role-based access controls and multi-factor authentication.
• Audit logging: Access to ePHI is logged and auditable.
• Subcontractor management: CobiCare requires any subcontractors that handle ePHI on our behalf to enter into BAAs consistent with our own obligations.
• Workforce training: CobiCare personnel with access to ePHI receive regular HIPAA training.

5. Breach notification

CobiCare follows the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). In the event of a breach of unsecured PHI, we will:

• Notify the applicable Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery of the breach
• Provide the information required under 45 CFR §164.410, including the nature of the breach, the PHI involved, and steps individuals may take to protect themselves
• Cooperate fully with the Covered Entity's breach response and any required notifications to affected individuals and the U.S. Department of Health and Human Services (HHS)

6. Individual rights

HIPAA grants individuals certain rights over their PHI. As a Business Associate, CobiCare does not process individual rights requests directly — these are handled by the Covered Entity (e.g. the senior living community or home care agency deploying CobiCare). The Covered Entity may direct CobiCare to provide access to PHI, amend records, or account for disclosures in accordance with our BAA obligations.

If you are an individual seeking to exercise your HIPAA rights, please contact the Covered Entity (your care provider or facility) directly.

7. Minimum necessary standard

CobiCare applies the minimum necessary standard when using or disclosing PHI, limiting access to only the PHI required to fulfil the specific purpose of the use or disclosure.

8. FHIR R4 integration

The CobiCare platform is designed to interoperate with electronic health record systems via HL7 FHIR R4 APIs. FHIR-based data exchanges are subject to the same HIPAA safeguards described above and are governed by the applicable BAA between CobiCare and the Covered Entity.

9. Entering into a Business Associate Agreement

Covered Entities deploying CobiCare must execute a Business Associate Agreement prior to platform activation. To request a BAA or discuss HIPAA compliance requirements for your organisation, contact:

10. Questions and complaints

For questions about CobiCare's HIPAA practices, contact compliance@cobicare.ai.

Individuals who believe their HIPAA rights have been violated may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

• Online: hhs.gov/hipaa/filing-a-complaint
• Phone: 1-800-368-1019

CobiCare will not retaliate against any individual for filing a complaint.

11. Updates to this notice

CobiCare reserves the right to update this HIPAA Business Associate Statement at any time. Changes take effect upon posting to this page. We will communicate material changes to Covered Entities with active deployments.