Exposure Watch HIPAA / BAA Position Statement

Effective date: June 15, 2026

Company: Exposure Watch, Inc.

Exposure Watch's standard product is designed to use public facility/operator records and public or third-party hazard data. The standard product is not designed to collect, create, receive, maintain, or transmit protected health information (PHI), patient records, resident-identifiable data, medical information, clinical information, or payment-for-care information.

Standard position

Exposure Watch does not sign a HIPAA Business Associate Agreement for the standard Service because the standard Service does not require PHI and customers are prohibited from submitting PHI.

Customer obligation

Customers must not submit PHI, patient records, resident names, medical information, clinical data, or other resident-identifiable data. If a customer believes a use case requires PHI, the customer must not use the standard Service for that use case unless Exposure Watch has separately agreed in writing and signed a BAA.

If PHI is submitted by mistake

If Exposure Watch discovers suspected PHI in the Service, it may delete, quarantine, or restrict the data and notify the customer administrator. Customer remains responsible for any unauthorized submission.

Product change warning

If Exposure Watch later adds features that intentionally process PHI, patient/resident names, clinical data, resident-level outreach data, or identifiable healthcare information, Exposure Watch will evaluate HIPAA obligations, implement appropriate policies and controls, and sign BAAs where required before enabling those features.