HIPAA Notice

Tempo Systems LLCd/b/a Tempo ("Tempo") operates as a HIPAA Business Associate ("BA") — not a covered entity. Tempo provides coding assistance services to medical practices (covered entities) and, in doing so, may create, receive, maintain, or transmit protected health information ("PHI") on behalf of those practices.

A signed Business Associate Agreement ("BAA") is a prerequisite for using Tempo's EMR-connected features. A BAA is required before Tempo may access or process your practice's PHI.

Tempo uses PHI only as permitted under each signed BAA and HIPAA:

• Performance of services. Tempo accesses encounter data, clinical notes, and payer information solely to generate CPT code recommendations for your practice.
• Operations and treatment support. Tempo may use PHI for proper management and administration of its services, including technical support and security operations.
• Legal obligations. Tempo may disclose PHI as required by law or to prevent serious harm.

Tempo does not sell PHI. Tempo does not use PHI to train AI models. Tempo does not disclose PHI to third parties except as required to perform services under the BAA or as required by law.

Tempo implements administrative, physical, and technical safeguards as required by the HIPAA Security Rule:

• Encryption. PHI is encrypted in transit (TLS 1.2+) and at rest.
• Access controls. Role-based controls limit PHI access to personnel and systems that require it.
• Audit logging. PHI access and modifications are logged with timestamps, user identity, and action type.
• Subprocessor BAAs.Any vendor processing PHI on Tempo's behalf executes a BAA with Tempo.
• Minimum necessary. Tempo accesses only the PHI required to perform the requested service.
• Workforce training. Tempo personnel with PHI access receive HIPAA training.

In the event of a breach of unsecured PHI, Tempo will notify the affected covered entity within the timeframe required by HIPAA and will provide all information required by 45 CFR § 164.410. The covered entity is responsible for notifying affected individuals, HHS, and media as required by the HIPAA Breach Notification Rule.

PHI-processing subprocessors include cloud infrastructure, AI inference infrastructure, and authentication providers. All operate under a BAA with Tempo. A current list is available upon request.

To request a BAA before using Tempo's PHI-processing features:

Tempo Systems LLC
Privacy Officer
privacy@gettempohealth.com

We typically respond to BAA requests within 2 business days.

Tempo is a Business Associate and does not have a direct relationship with patients. For HIPAA rights — access, amendment, accounting of disclosures — contact your medical practice. Your practice is responsible for its own Notice of Privacy Practices.

Tempo Systems LLC — Privacy Officer
privacy@gettempohealth.com

You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.