HIPAA Compliance

Last Updated: April 9, 2026

1. Introduction and Scope

Volumetryx Inc. ("Volumetryx", "we", "us", "our") is committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule, when acting as a Business Associate processing Protected Health Information (PHI) on behalf of Covered Entities.

HIPAA requirements apply to Volumetryx when processing Protected Health Information (PHI) under an executed Business Associate Agreement (BAA) with a Covered Entity.

Our primary service involves the processing of De-identified Data. When we handle individually identifiable PHI — typically received from clients for the purpose of de-identification — we adhere strictly to HIPAA requirements and the terms of executed Business Associate Agreements (BAAs).

2. Understanding Protected Health Information (PHI)

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. PHI includes any information that can be used to identify an individual in connection with their health condition, provision of healthcare, or payment for healthcare.

The following are the 18 HIPAA identifiers that, when associated with health information, constitute PHI:

• Names
• Geographic data smaller than a state (street address, city, county, zip code)
• Dates (except year) directly related to an individual (birth date, admission date, discharge date, date of death)
• Phone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers (including license plate numbers)
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

3. Commitment and Applicability

Volumetryx maintains full compliance with HIPAA regulations when operating as a Business Associate under executed Business Associate Agreements with Covered Entities. This commitment extends to all workforce members, including employees, contractors, and any individuals with access to PHI in the course of performing work for Volumetryx.

Violation of this policy or HIPAA regulations by any workforce member may result in disciplinary action, up to and including termination of employment or contract, in addition to any civil or criminal penalties imposed under HIPAA.

Volumetryx reserves the right to amend this policy at any time to remain compliant with changes to HIPAA regulations or other applicable laws and regulatory requirements.

4. Key Responsibilities and Procedures

I. HIPAA Privacy and Security Officer

Volumetryx has designated a HIPAA Privacy and Security Officer responsible for the development, implementation, and maintenance of the HIPAA compliance program. The Officer oversees all aspects of privacy and security policy, workforce training, incident response, and regulatory reporting. For inquiries or concerns, contact: contact@volumetryx.ai

II. Incident Response

Volumetryx maintains a comprehensive incident response plan for addressing security incidents involving PHI. This includes procedures for:

• Prompt detection and identification of security incidents
• Investigation of the nature, scope, and cause of incidents
• Mitigation of harmful effects and prevention of recurrence
• Assessment of whether an incident constitutes a reportable breach
• Notification to the applicable Covered Entity in accordance with BAA terms and HIPAA requirements

III. Workforce Training

All team members complete HIPAA awareness training and follow documented privacy and security procedures. Additional training is provided following any significant changes to HIPAA policies or procedures. Training covers the Privacy Rule, Security Rule, Breach Notification Rule, and organizational policies relevant to each individual's role and access to PHI.

IV. Safeguards

Volumetryx implements a comprehensive set of safeguards to protect PHI:

Technical Safeguards:

• Access controls — unique user identification, automatic logoff, encryption and decryption
• Encryption of PHI in transit and at rest using industry-standard protocols
• Audit logs and controls to record and examine access and activity in systems containing PHI
• Network monitoring and security controls

Physical Safeguards:

• Cloud infrastructure hosted in SOC 2 certified data centers with restricted access controls
• Physical access controls for facilities and workstations that store or process PHI

Administrative Safeguards:

• Security management processes including risk analysis and risk management
• Workforce training and security awareness programs
• Incident response and reporting procedures
• Contingency planning including data backup, disaster recovery, and emergency operations
• Business Associate Agreements (BAAs) with all subcontractors who may access PHI

V. Complaints

Any individual who believes their privacy rights have been violated may lodge a complaint with the Volumetryx HIPAA Privacy Officer at contact@volumetryx.ai, or directly with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

VI. No Retaliation

Volumetryx prohibits retaliation against any individual who exercises their rights under HIPAA, files a complaint, participates in an investigation, or opposes any act or practice that they reasonably believe violates HIPAA regulations.

VII. Documentation

Volumetryx maintains all HIPAA-related policies, procedures, communications, actions, activities, and assessments in written or electronic form. All documentation is retained for a minimum of six (6) years from the date of its creation or the date it was last in effect, whichever is later, as required by HIPAA.

5. Use and Disclosure of PHI

I. Limited Access

Access to PHI is restricted to workforce members who require it to perform their designated functions. Volumetryx applies the "minimum necessary" standard, ensuring that only the minimum amount of PHI necessary to accomplish the intended purpose is used, disclosed, or requested.

II. Permitted Uses

Volumetryx uses and discloses PHI only as permitted or required by the terms of executed Business Associate Agreements and in compliance with HIPAA. PHI is used solely for the purposes specified in the applicable BAA, including treatment, payment, healthcare operations, and de-identification services.

III. Minimum Necessary Standard

When using, disclosing, or requesting PHI, Volumetryx makes reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard applies to all internal uses, routine and non-routine disclosures, and requests for PHI from other entities.

IV. Disclosures to Subcontractors

Volumetryx requires all subcontractors who may create, receive, maintain, or transmit PHI on our behalf to enter into Business Associate Agreements. These agreements ensure that subcontractors implement appropriate safeguards and comply with applicable HIPAA requirements.

V. De-identification

De-identification is a core component of Volumetryx's services. We employ two HIPAA-approved methods for de-identification:

Safe Harbor Method: Removal of all 18 HIPAA identifiers listed in Section 2, with no actual knowledge that the remaining information could be used to identify an individual.

Expert Determination Method: A qualified statistician determines, using generally accepted statistical and scientific principles, that the risk of identifying an individual from the data is very small. The methods and results are documented.

Once data has been properly de-identified using either method, it is no longer considered PHI and is not subject to HIPAA regulations.

6. PHI Breach Reporting Obligations

Volumetryx maintains procedures for detecting, investigating, and documenting potential breaches of unsecured PHI. In the event of a confirmed breach, Volumetryx will:

• Conduct a thorough investigation to determine the nature and extent of the breach
• Notify the applicable Covered Entity without unreasonable delay, and no later than sixty (60) days after discovery of the breach
• Include in the notification all required details: the nature of the breach, the types of PHI involved, steps individuals should take to protect themselves, what Volumetryx is doing to investigate and mitigate the breach, and contact procedures for further information
• Cooperate fully with the Covered Entity's investigation and response efforts, including providing any information or assistance necessary for the Covered Entity to meet its own notification obligations under HIPAA

7. Contact Information

For questions or concerns regarding our HIPAA compliance practices, please contact:

HIPAA Privacy and Security Officer, Volumetryx Inc.
Volumetryx Inc., Montreal, QC, Canada
contact@volumetryx.ai