Amplifier Health - Information Privacy Policy

Policy Number: POL-SEC-001

Version: 1.0

Effective Date: October 7, 2025

Policy Owner: Chief Technology Officer / Security Officer

Approved By: Amit Mehta, CEO

‍

1.0 Purpose and Scope

This Information Privacy Policy documents the principles, standards, and procedures that Amplifier Health, Inc. ("Amplifier," "we," "us," "our") follows to protect the confidentiality, integrity, and availability of all information it collects, creates, and maintains.

This policy applies to all Amplifier employees, contractors, and agents ("Workforce Members") and to all data, systems, and networks used in the course of business operations. The primary objective is to ensure compliance with our legal, regulatory, and contractual obligations, including the Health Insurance Portability and Accountability Act (HIPAA) and the trust services criteria of SOC 2.

This policy specifically governs the handling of Protected Health Information (PHI) and Personally Identifiable Information (PII).

‍

2.0 Policy Statement

Amplifier Health is fundamentally committed to the highest standards of data privacy and security. We operate as a Business Associate to our healthcare partners ("Covered Entities") and are contractually and ethically bound to protect the sensitive information entrusted to us.

Our privacy program is guided by the following core principles:

• Lawfulness, Fairness, and Transparency: We will process all personal data lawfully and in a transparent manner.
• Purpose Limitation: We collect and use information only for the specific, explicit, and legitimate purposes outlined in our agreements with partners.
• Data Minimization: We adhere to the HIPAA "Minimum Necessary" standard, collecting and processing only the information required to fulfill our contractual duties.
• Accuracy: We take reasonable steps to ensure the accuracy of the data we maintain.
• Storage Limitation: We retain data only for as long as necessary to fulfill the purposes for which it was collected or as required by law and contractual agreements.
• Integrity and Confidentiality: We protect information against unauthorized or unlawful processing, accidental loss, destruction, or damage using robust technical and organizational measures.

3.0 Roles and Responsibilities

• Security Officer: Amplifier Health has a designated Security Officer who is responsible for the development, implementation, and enforcement of this policy and all related security procedures. The Security Officer is the primary point of contact for all privacy-related incidents and inquiries.
• Workforce Members: All Workforce Members are responsible for understanding and adhering to this policy in their daily activities. Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.

4.0 Information Handling Procedures

4.1 Data Collection and Use

• All PHI is collected and processed only as permitted under a fully executed Business Associate Agreement (BAA) with a Covered Entity.
• Information will be used solely for the purposes of providing the Services as defined in our Master Services Agreements and Statements of Work, including for treatment, payment, or healthcare operations as directed by the Covered Entity, and for research purposes under a valid IRB-approved protocol.
• We employ advanced de-identification techniques to remove direct personal identifiers from data used for internal analytics and model training, ensuring patient privacy is protected.

4.2 Access Control

• Access to systems containing PHI and other confidential information is strictly managed based on the principle of least privilege and role-based access control (RBAC).
• Every user must have a unique User ID. Shared accounts are strictly prohibited.
• Multi-Factor Authentication (MFA) is mandatory for all Workforce Members and partner users accessing systems with sensitive data.
• Access rights are reviewed on a quarterly basis and are immediately revoked upon termination of employment or change in job function.

4.3 Data Storage and Encryption

• Encryption in Transit: All data transmitted over public or private networks is encrypted using strong, industry-standard protocols (TLS 1.2 or higher).
• Encryption at Rest: All PHI and sensitive data stored in our databases, file systems, and backups is encrypted using AES-256 encryption.

4.4 Data Retention and Destruction

• We retain PHI and other data in accordance with our contractual agreements and applicable state and federal laws. Per HIPAA requirements, records such as audit logs will be retained for a minimum of six years.
• Upon termination of a contract, all original data received from that partner will be securely destroyed in accordance with the terms of the agreement. Destruction will be performed using cryptographic erasure methods, and a formal certificate of destruction will be provided to the partner upon request.

5.0 Individual Rights

As a Business Associate, Amplifier Health assists our Covered Entity partners in meeting their obligations to patients regarding their PHI. We will support our partners in fulfilling patient requests for:

• Access to PHI: Providing individuals with access to their PHI.
• Amendment of PHI: Accommodating requests to amend incorrect or incomplete information.
• Accounting of Disclosures: Providing a record of disclosures of an individual's PHI.

All such requests received by Amplifier Health will be promptly forwarded to the appropriate Covered Entity for handling.

6.0 Incident Response

Amplifier Health maintains a formal Incident Response Plan to address any potential data breach or security incident. In the event of a suspected breach of Unsecured PHI, we will:

1. Execute our internal response plan to contain, investigate, and mitigate the incident.
2. Notify the affected Covered Entity without unreasonable delay, and in no case later than the timeframe specified in our BAA (typically 5 business days).
3. Cooperate fully with the Covered Entity to support their investigation and any required notifications to individuals or regulatory bodies like the Department of Health and Human Services.

7.0 Training and Awareness

All Amplifier Health Workforce Members are required to complete comprehensive HIPAA security and privacy training upon hiring and on an annual basis thereafter. Training records are maintained to document compliance.

‍

8.0 Policy Review and Updates

This policy will be reviewed at least annually, or more frequently in response to significant changes in our business, technology, or the regulatory landscape.

Document History | Version | Date | Author | Description of Change |
| 1.0 | October 7, 2025| Chief Technology Officer | Initial Version |

‍