HIPAA | HITECH Compliance Statement

In compliance with the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act regulations and principles (collectively “HIPAA”), Cadwell Industries, Inc. is committed to maintaining the confidentiality, integrity, and availability of all protected health information (“PHI”) we create, receive, maintain, or transmit on behalf of our customers. We conduct annual, enterprise-wide security risk assessments to identify and mitigate vulnerabilities across all systems and medical devices. We have appointed a dedicated Compliance Officer and Security Officer to oversee PHI compliance initiatives and staff training. All employees undergo mandatory annual HIPAA awareness training, covering phishing, incident reporting, and the handling of sensitive health data. Physical access to servers and production areas is strictly controlled through monitored security. We enter into formal BAAs with customers and subcontractors defining responsibilities for safeguarding PHI, and maintain incident response procedures aligned with HIPAA requirements.

Cadwell equipment and software are capable of being used in compliance with HIPAA) so that PHI can be collected, utilized and safeguarded in a HIPAA-compliant manner. Cadwell’s software architecture includes log-in authentication for user access, provisions for unique user IDs, allowance for multi-factor authentication, various database audit logging, data integrity systems and verified backups, entity authentication programs, digital certificates, and data encryption, all of which support HIPAA-compliant use.

Clinicians use Cadwell equipment to collect PHI, however Cadwell does not host, store or retain PHI on behalf of clinicians when software is hosted in a customer’s own data center. All collected PHI remains under the control of the equipment/software user and the network host for the network into which the equipment is integrated.

When utilized, Cadwell’s CadLink Anywhere™ cloud service uses a secure third-party data storage solution. These third-party storage facilities are HIPAA compliant and data passing to and from these facilities is encrypted.

In the event equipment containing PHI is sent back to Cadwell for service, Cadwell follows annually-reviewed and audited HIPAA-compliant procedures (“Internal Procedures”) to safeguard PHI and prevent all unauthorized disclosures while in Cadwell’s care. All Cadwell employees are trained annually on the HIPAA Internal Procedures.

Effective date: January 14, 2026