Legal

HIPAA Breach Notification Policy

Effective Date: February 2026

1. Purpose and Scope

This Breach Notification Policy ("Policy") establishes the procedures that Rymeda, Inc. ("Rymeda," "we," "us," or "our") follows to identify, assess, report, and mitigate breaches of unsecured Protected Health Information ("PHI") in compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HIPAA Breach Notification Rule at 45 CFR Part 164 Subpart D, the Health Information Technology for Economic and Clinical Health Act ("HITECH") at 42 USC §17932, and applicable state laws.

This Policy applies to all Rymeda workforce members (employees, contractors, and temporary staff), all subcontractors and subprocessors who create, receive, maintain, or transmit PHI on behalf of Rymeda (see Subprocessor List), and all PHI processed through the Rymeda platform, including clinical charts, clinical notes, voice recordings, AI-generated medical reports, billing records, insurance claims, and all associated metadata.

This Policy supplements the breach notification provisions of our Business Associate Agreement, Data Processing Agreement, and Incident Response Plan.

2. Definitions

Breach — The acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR §164.402. A breach is presumed to have occurred unless Rymeda demonstrates through the four-factor risk assessment (Section 3) that there is a low probability that the PHI has been compromised.
Unsecured PHI — Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of encryption or destruction methodologies specified in HHS guidance under 42 USC §17932(h) and 45 CFR §164.402. PHI encrypted with AES-256 and managed by per-tenant AWS KMS keys (as implemented by Rymeda) is considered secured and not subject to breach notification requirements, provided the encryption key has not also been compromised.
Security Incident — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR §164.304. Not all security incidents constitute breaches.
Discovery Date — A breach is considered "discovered" on the first day the breach is known to Rymeda, or by exercising reasonable diligence would have been known. Any Rymeda workforce member, contractor, or agent who becomes aware of a breach is deemed to have knowledge attributable to Rymeda. Discovery may occur through automated monitoring and alerting, audit log analysis (queried via the platform's audit log system), user reports, subprocessor notifications, or third-party notifications.
Covered Entity — The customer (healthcare provider or entity) that has executed a Business Associate Agreement with Rymeda.

3. Risk Assessment — Four-Factor Test

Upon discovery of a potential breach of unsecured PHI, Rymeda will conduct a risk assessment to determine whether there is a low probability that the PHI has been compromised. This assessment considers the four factors specified in 45 CFR §164.402(2):

Factor 1: Nature and Extent of the PHI Involved

Assessment of the types and amount of PHI involved, including whether the information includes direct identifiers (e.g., name, date of birth, Social Security number), clinical data (e.g., diagnoses, medications, SOAP notes, voice recordings, AI-generated reports), financial data (e.g., insurance information, billing records, CPT/ICD-10 codes), or other sensitive information. The assessment considers the data classification within the Rymeda platform: PHI/Restricted, PII/Confidential, Internal, or Public.

Factor 2: The Unauthorized Person Who Used the PHI or to Whom the Disclosure Was Made

Identification of the unauthorized individual or entity and assessment of whether the recipient is in a position to retain or further disclose the PHI. This includes assessing whether the recipient had existing obligations to protect PHI (e.g., another Covered Entity or Business Associate), whether the disclosure was to an authorized workforce member who exceeded their role-based access level, or whether the PHI was exposed to an external, unaffiliated party.

Factor 3: Whether the PHI Was Actually Acquired or Viewed

Determination of whether the PHI was actually acquired or viewed by the unauthorized person, or whether only the opportunity for acquisition or viewing existed. Rymeda's immutable audit trails log all data access events (user ID, role, timestamp, IP address, entity type, entity ID, and action performed), enabling forensic analysis to determine whether PHI was actually accessed. Audit log queries can be filtered by entity, user, date range, and action type.

Factor 4: The Extent to Which the Risk to the PHI Has Been Mitigated

Assessment of the mitigation actions taken, including whether the unauthorized recipient has returned or destroyed the PHI, whether the unauthorized recipient has provided satisfactory assurances that the PHI will not be further used or disclosed, whether access credentials have been revoked, and whether technical controls have been implemented to prevent recurrence.

The risk assessment must be completed within five (5) business days of discovery. If the risk assessment does not demonstrate a low probability of compromise, the incident is treated as a reportable breach and the notification procedures in Sections 4 through 6 are initiated. The risk assessment, its methodology, findings, and conclusion are documented and retained as part of the breach investigation file for a minimum of six (6) years (see Section 9).

4. Notification to Individuals

When a breach of unsecured PHI is confirmed, Rymeda will assist the Covered Entity in notifying affected individuals in accordance with 45 CFR §164.404, or, where Rymeda is directly responsible for notification, will notify individuals as follows:

4.1 Timeline

Notification to affected individuals must be provided without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the breach, in accordance with 45 CFR §164.404(b). Rymeda's internal target is to complete individual notification within forty-five (45) calendar days where feasible.

4.2 Content Requirements

The breach notification to individuals must include all of the following elements, as required by 45 CFR §164.404(c):

What happened: A brief description of the breach, including the date of the breach and the date of discovery.
Types of PHI involved: A description of the types of unsecured PHI involved in the breach (e.g., names, dates of birth, diagnoses, clinical notes, voice recordings, Social Security numbers, billing information).
Steps individuals should take: Steps the affected individuals should take to protect themselves from potential harm resulting from the breach (e.g., monitoring credit reports, placing fraud alerts, reviewing explanation of benefits statements).
What Rymeda is doing: A description of what Rymeda is doing to investigate the breach, mitigate harm, and prevent future breaches.
Contact information: Contact procedures for individuals to ask questions or obtain additional information, including a toll-free phone number, email address, and mailing address.

4.3 Method of Notification

Primary method: Written notification by first-class mail to the last known address of the affected individual. If the affected individual has agreed to receive electronic notifications and has not withdrawn that agreement, notification may be provided by email.

Substitute notice: If there is insufficient or out-of-date contact information for ten (10) or more individuals, substitute notice must be provided by either (a) a conspicuous posting on the Rymeda website for a period of ninety (90) days, or (b) notice in major print or broadcast media in geographic areas where affected individuals likely reside. Substitute notice must include a toll-free phone number active for ninety (90) days where individuals may learn whether their information was involved.

Urgent situations: If there is a possibility of imminent misuse, Rymeda may provide notice by telephone or other means in addition to written notice, in accordance with 45 CFR §164.404(d)(2).

5. Notification to the Department of Health and Human Services (HHS)

5.1 Breaches Affecting 500 or More Individuals

If a breach of unsecured PHI affects five hundred (500) or more individuals, notification to the Secretary of HHS must be provided without unreasonable delay and in no event later than sixty (60) calendar days from discovery of the breach. Notification is submitted through the HHS Breach Reporting Portal. This notification must be provided contemporaneously with individual notification (45 CFR §164.408(b)).

5.2 Breaches Affecting Fewer Than 500 Individuals

If a breach of unsecured PHI affects fewer than five hundred (500) individuals, notification to the Secretary of HHS must be provided through an annual breach log. The breach log must be submitted to HHS no later than sixty (60) days after the end of the calendar year in which the breach was discovered (by February 28 of the following year, or the next business day if February 28 falls on a weekend). The breach log must include all breaches discovered during the preceding calendar year (45 CFR §164.408(c)).

6. Notification to Media

If a breach of unsecured PHI affects five hundred (500) or more residents of a single state or jurisdiction, Rymeda (or the Covered Entity, as applicable) must provide notice to prominent media outlets serving that state or jurisdiction. Media notification must be provided without unreasonable delay and in no event later than sixty (60) calendar days from discovery of the breach (45 CFR §164.406). The content of the media notice must include the same elements required for individual notification (see Section 4.2).

7. California-Specific Notification Requirements

For breaches affecting California residents, Rymeda complies with both federal HIPAA requirements and California state breach notification laws. California imposes additional requirements that may result in shorter notification timelines and additional notification recipients.

7.1 SB 446 — California Data Breach Notification (Cal. Civ. Code §1798.82)

In addition to HIPAA notification, breaches involving California residents' personal information require notification under the California data breach notification statute. Key requirements:

Timeline: Notification to affected California residents must be provided without unreasonable delay, and no later than thirty (30) days after discovery of the breach (effective January 1, 2026 under SB 446).
California Attorney General: If a breach affects more than five hundred (500) California residents, notification must also be provided to the California Attorney General within the same thirty (30) day timeframe.
Required headings: The notification must include the following headings:
- "What Happened?"
- "What Information Was Involved?"
- "What We Are Doing"
- "What You Can Do"
- "For More Information"
Identity theft protection: If the breach involves Social Security numbers, driver's license numbers, or California identification card numbers, Rymeda must offer affected individuals no less than twelve (12) months of identity theft prevention and mitigation services at no cost (Cal. Civ. Code §1798.82(d)(2)(G)).

7.2 HSC §1280.15 — Reporting to CDPH

For healthcare facilities subject to Cal. Health & Safety Code §1280.15, breaches involving unauthorized access, use, or disclosure of a patient's medical information must be reported to the California Department of Public Health (CDPH) within fifteen (15) business days of detection. The report must include a description of the breach, the number of patients affected, and the corrective actions taken.

7.3 CMIA — Confidentiality of Medical Information Act (Cal. Civ. Code §56.36)

Breaches involving medical information of California residents are additionally subject to notification requirements under the Confidentiality of Medical Information Act (CMIA). Under Cal. Civ. Code §56.36, any unauthorized disclosure of medical information requires notification to the affected patient. Penalties for negligent disclosure include statutory damages of $1,000 per patient; penalties for knowing and willful disclosure include statutory damages of $5,000 per patient.

7.4 California Dual-Track Timeline Summary

Notification	Legal Basis	Timeline	Trigger
Affected individuals (federal)	45 CFR §164.404	60 days from discovery	Breach of unsecured PHI
Affected CA residents	Cal. Civ. Code §1798.82 (SB 446)	30 days from discovery	Breach of personal information
California Attorney General	Cal. Civ. Code §1798.82	30 days (500+ CA residents)	Breach affecting 500+ CA residents
CDPH	Cal. HSC §1280.15	15 business days	Breach of patient medical info
HHS Secretary	45 CFR §164.408	60 days (500+) / annual log (<500)	Breach of unsecured PHI
Media	45 CFR §164.406	60 days (500+ in single state)	Breach affecting 500+ in one state

8. Business Associate Notification to Covered Entity

When Rymeda discovers a breach or suspected breach of unsecured PHI affecting a Covered Entity's data, Rymeda will notify the Covered Entity in accordance with the Business Associate Agreement:

Timeline: Notification to the Covered Entity must be provided without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the breach, in accordance with 45 CFR §164.410 and the BAA.
Content: The notification to the Covered Entity must include:
- The nature and extent of the breach, including the types of PHI involved.
- Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, affected.
- The date of the breach and the date of discovery.
- A description of the investigation conducted and its findings.
- Mitigation steps taken and proposed.
- Contact information for the Rymeda Privacy Officer and Security Team.
Covered Entity responsibility: The Covered Entity remains responsible for providing notification to affected individuals, HHS, and media as required by 45 CFR §§164.404, 164.406, and 164.408. Rymeda will cooperate fully with the Covered Entity's notification efforts.

9. Documentation and Breach Log

Rymeda maintains comprehensive documentation of all breach incidents and near-misses, in accordance with 45 CFR §164.414(b) and the Rymeda Incident Response Plan.

9.1 Breach Log

Rymeda maintains a centralized breach log that records every confirmed or suspected breach, regardless of size. The breach log is reviewed quarterly by the Privacy Officer and is used to compile the annual breach report to HHS for incidents affecting fewer than 500 individuals. The breach log includes: incident ID, discovery date, breach date, description, PHI types involved, number of individuals affected, risk assessment outcome, notification dates and recipients, mitigation actions, and resolution status.

9.2 Investigation File

For each breach, Rymeda maintains a detailed investigation file containing: the incident report (created through the platform's compliance incident reporting system, which tracks incident type, severity, description, affected patients, status, assigned investigator, and resolution), the four-factor risk assessment and its conclusions, audit log exports and forensic evidence, notification correspondence, mitigation actions and their outcomes, root cause analysis, and corrective actions implemented.

Incident reports within the Rymeda platform track the following fields: incident type (safety, privacy_breach, complaint, near_miss, other), severity (low, medium, high, critical), description, affected patients, status (reported, triaging, investigating, resolved, closed), assigned investigator, resolution notes, and timestamps.

9.3 Retention

All breach documentation, including the breach log, risk assessments, investigation files, notification records, and audit log exports, must be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, in accordance with 45 CFR §164.530(j). Audit logs supporting breach investigations are immutable, append-only records retained for the same minimum period.

10. Mitigation

Upon confirmation of a breach, Rymeda will take immediate steps to mitigate the harm caused by the breach and prevent future occurrences:

10.1 Containment

Isolate affected systems to prevent further unauthorized access or disclosure.
Revoke compromised access credentials and API keys.
Apply emergency patches or configuration changes as needed.
Increase monitoring and alerting on affected systems.
Preserve forensic evidence, including audit logs, system snapshots, and network captures.

10.2 Forensic Investigation

Conduct thorough root cause analysis using audit logs, system logs, and forensic imaging.
Determine the full scope of the breach — all affected records, systems, and individuals.
Identify the attack vector, vulnerability exploited, or process failure that enabled the breach.
Engage third-party forensic investigators for Severity 1 (critical) and Severity 2 (high) incidents as needed.

10.3 Remediation

Remediate the vulnerability or process failure that caused the breach.
Implement additional technical controls (e.g., access restrictions, enhanced monitoring, additional encryption).
Update policies, procedures, and training materials as necessary.
Conduct workforce re-training on HIPAA privacy and security requirements.
Perform access reviews to verify that all workforce members have appropriate access levels.

10.4 Re-Training

Following any breach caused by workforce error or policy violation, targeted re-training is provided to all affected workforce members. Re-training covers the specific area of non-compliance and is tracked through the platform's compliance training system, which records training requirements (by role and frequency), completion dates, attestation, and scores.

11. Law Enforcement Delay

If a law enforcement official determines that notification, notice, or posting required under the HIPAA Breach Notification Rule would impede a criminal investigation or cause damage to national security, Rymeda may delay notification as follows, in accordance with 45 CFR §164.412:

Written request: If the law enforcement official provides a written statement specifying the time period for the delay, notification will be delayed for the specified period.
Oral request: If the law enforcement official makes an oral request, notification will be delayed for no longer than thirty (30) days from the date of the oral request, unless a written statement is subsequently provided.

Upon expiration of the delay period, notification must be provided without further delay. The law enforcement delay request and compliance actions are documented in the breach investigation file.

12. Exceptions to Breach Definition

The following situations are specifically excluded from the definition of a "breach" under 45 CFR §164.402(1) and do not trigger notification obligations:

Unintentional access by workforce member: Any unintentional acquisition, access, or use of PHI by a workforce member acting under Rymeda's authority, if such access was made in good faith and within the scope of that person's authority, and the PHI is not further used or disclosed in a manner not permitted by the Privacy Rule.
Inadvertent disclosure between authorized persons: Any inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI at the same Covered Entity, Business Associate, or organized health care arrangement, and the information received is not further used or disclosed in a non-permitted manner.
Good faith belief of no retention: A disclosure in which Rymeda has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Even when an exception applies, the incident is documented in the breach log and incident report system for compliance tracking and trend analysis.

13. Workforce Responsibilities

All Rymeda workforce members, contractors, and agents are responsible for:

Immediate reporting: Reporting any known or suspected breach, security incident, or potential violation of HIPAA privacy or security rules to the Privacy Officer at legal@rymeda.com or the Security Team at security@rymeda.com immediately upon discovery. Reports may be made anonymously.
Cooperation: Cooperating fully with breach investigations, including providing information, preserving evidence, and making themselves available for interviews.
Confidentiality: Maintaining the confidentiality of breach investigation details and not disclosing information about ongoing investigations to unauthorized persons.
Non-retaliation: Rymeda prohibits retaliation against any workforce member who reports a suspected breach or cooperates with a breach investigation in good faith.

Failure to report a known or suspected breach or to cooperate with an investigation may result in disciplinary action, including termination.

14. Subprocessor Breach Obligations

All subprocessors engaged by Rymeda that create, receive, maintain, or transmit PHI are contractually required to report any breach or suspected breach to Rymeda without unreasonable delay. The Data Processing Agreement requires subprocessors to notify Rymeda within seventy-two (72) hours of becoming aware of a personal data breach. The Business Associate Agreement requires subcontractors handling PHI to agree in writing to the same restrictions and conditions that apply to Rymeda.

Current subprocessors with access to PHI or personal data include: Amazon Web Services (infrastructure), Stripe (payments), OpenAI (AI processing), Google (AI processing), ORIS (clinical AI), Resend (email), Plausible Analytics (website analytics — no PHI access), and MongoDB (database). See our Subprocessor List for current details and BAA status.

15. Sanctions and Penalties

Failure to comply with the HIPAA Breach Notification Rule may result in significant penalties:

Federal penalties: Civil monetary penalties ranging from $137 to $2,067,813 per violation, with an annual maximum of $2,067,813 for identical violations (adjusted annually for inflation), depending on the level of culpability (42 USC §1320d-5, as amended by HITECH). Criminal penalties for knowing violations may include fines up to $250,000 and imprisonment up to ten (10) years (42 USC §1320d-6).
California penalties: CMIA penalties of $1,000 per negligent disclosure and $5,000 per knowing and willful disclosure (Cal. Civ. Code §56.36). Additional penalties under Cal. Civ. Code §1798.82 for failure to notify.
State Attorney General enforcement: Under HITECH, state attorneys general may bring civil actions on behalf of state residents for HIPAA violations (42 USC §17939).

16. Policy Review and Updates

This Policy is reviewed and updated at least annually, and additionally whenever there are material changes to applicable law, regulations, or Rymeda's operations. All Rymeda workforce members are notified of material changes and are required to attest to their understanding of the updated Policy through the platform's compliance policy attestation system, which records the policy version, staff member, attestation date, and IP address.

This Policy is maintained by the Privacy Officer and approved by Rymeda executive leadership. Questions about this Policy should be directed to the Privacy Officer.

17. Contact Information

To report a breach or suspected breach, or for questions about this Policy:

Privacy Officer: legal@rymeda.com
Security Team: security@rymeda.com
Compliance Office: legal@rymeda.com
Legal Department: legal@rymeda.com

This Policy should be read in conjunction with the Business Associate Agreement, Data Processing Agreement, Notice of Privacy Practices, Incident Response Plan, Privacy Policy, and Security page.