HIPAA Security Officer Designation

Effective: March 8, 2026

1. Purpose

This document formally designates the HIPAA Security Officer for H33.ai, Inc. ("H33") in compliance with the Security Management Process standard under 45 CFR §164.308(a)(2). The HIPAA Security Rule requires that a covered entity or business associate designate a security official who is responsible for the development and implementation of policies and procedures required by the Security Rule.

This designation ensures that a single, accountable individual maintains oversight of H33's administrative, physical, and technical safeguards for electronic protected health information (ePHI) across all H33 systems and services, including H33-Vault, H33-Share, and supporting infrastructure.

2. Designation

The following individual is hereby designated as H33's HIPAA Security Officer:

This designation shall remain in effect until formally revoked or superseded by a subsequent written designation approved by the Board of Directors or the CEO.

3. Responsibilities

The Security Officer is responsible for the following functions under the HIPAA Security Rule:

• Risk Assessments: Conducting and overseeing comprehensive risk analyses of all systems that create, receive, maintain, or transmit ePHI, as required by 45 CFR §164.308(a)(1)(ii)(A). This includes periodic reassessments triggered by significant changes to infrastructure, software, or threat landscape.
• Workforce Training: Developing, implementing, and maintaining a security awareness and training program for all H33 workforce members, including employees, contractors, and temporary personnel, per 45 CFR §164.308(a)(5). Training must address H33's unique cryptographic architecture (FHE, ZKP, Dilithium signatures) and the handling of ePHI within encrypted processing pipelines.
• Incident Response: Establishing and maintaining incident response and reporting procedures per 45 CFR §164.308(a)(6). This includes defining escalation paths, coordinating breach investigations, and ensuring timely notification to affected parties and regulatory bodies as required by 45 CFR §§164.404–164.410.
• Business Associate Agreement Oversight: Reviewing and approving all Business Associate Agreements (BAAs) to ensure subcontractors and third-party service providers comply with HIPAA requirements. Maintaining a current inventory of all business associates with access to ePHI.
• Policy Development and Review: Authoring, maintaining, and periodically reviewing all HIPAA security policies and procedures. Ensuring documentation is current, accessible to the workforce, and retained for a minimum of six (6) years as required by 45 CFR §164.316(b)(2).
• Audit Liaison: Serving as the primary point of contact for internal and external audits, regulatory inquiries, and investigations by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Coordinating document production and corrective action plans as needed.

4. Authority

To fulfill the responsibilities outlined above, the Security Officer is granted the following authority:

• Budget Allocation: Authority to request and allocate resources necessary for HIPAA compliance, including security tooling, training programs, third-party assessments, and incident response capabilities. Budget requests shall be submitted to the Board for approval in accordance with company financial policies.
• Policy Enforcement: Authority to enforce HIPAA security policies across the organization, including the ability to mandate corrective actions, restrict system access, and implement emergency security measures when a threat to ePHI is identified.
• Vendor Assessment Approval: Authority to approve or reject third-party vendors and subcontractors based on their ability to meet HIPAA security requirements. No vendor with access to ePHI may be onboarded without the Security Officer's written approval.
• Breach Notification: Authority to initiate and coordinate breach notification procedures in accordance with 45 CFR §§164.404–164.410, including notifications to affected individuals, HHS, and media outlets where required. The Security Officer may engage legal counsel and forensic investigators as necessary.

5. Reporting

• Board Reporting: The Security Officer reports directly to the Board of Directors on all matters related to HIPAA security compliance. Written status reports shall be provided no less than quarterly.
• Quarterly Security Reviews: The Security Officer shall conduct quarterly reviews of the security program, covering incident trends, risk assessment updates, training completion rates, policy changes, and audit findings. Review summaries shall be documented and retained.
• Annual Risk Assessment: A comprehensive, organization-wide risk assessment shall be completed annually, with findings and remediation plans presented to the Board. The assessment must evaluate administrative, physical, and technical safeguards across all ePHI-handling systems, including H33-Vault (FHE document validation), H33-Share (cross-bank fraud intelligence), Auth1 authentication services, and supporting AWS infrastructure (RDS PostgreSQL, ElastiCache Redis, Elastic Beanstalk).

6. Succession

In the event that the designated Security Officer is unavailable, incapacitated, or otherwise unable to perform the duties described herein, the Chief Technology Officer (CTO) shall assume interim responsibility for all HIPAA Security Officer functions. The interim designation shall remain in effect until the Security Officer returns to active duty or a permanent replacement is formally designated in writing.

The CTO shall maintain sufficient familiarity with H33's HIPAA security program to assume these responsibilities without material disruption. This includes access to current risk assessments, incident response runbooks, BAA inventories, and policy documentation.

7. Review Schedule

This designation document shall be reviewed and reaffirmed (or updated) on an annual basis. The next scheduled review is March 2027.

Interim reviews may be triggered by any of the following events:

• Change in the designated Security Officer's role, responsibilities, or employment status
• Significant organizational restructuring affecting security governance
• Material changes to HIPAA regulations or HHS guidance
• Findings from an audit or risk assessment that indicate a need for governance changes