# Workforce Confidentiality and Security Agreement ## Kinometric Balance Assessment Platform **Effective Date:** February 2026 --- ## Agreement I, ________________________________ ("Workforce Member"), understand that in the course of my duties with Kinometric, I may have access to Protected Health Information (PHI) and other confidential information. I agree to the following terms as required by HIPAA (45 CFR 164.308(a)(3) and 164.310(b)): --- ## 1. Confidentiality of PHI - I will **not** access, use, or disclose PHI except as required to perform my authorized job duties. - I will **not** share patient information with anyone who does not have a legitimate need to know. - I will **not** discuss patient information in public areas, on social media, or with unauthorized persons. - I understand that PHI includes patient names, dates of birth, balance test results, questionnaire answers, and any information that could identify a patient. ## 2. System Access - I will use **only my own** username and password to access the Kinometric system. - I will **not** share my login credentials with anyone, including coworkers. - I will use a **strong password** (minimum 8 characters, uppercase, lowercase, and number) and change it if I suspect it has been compromised. - I will **log out** of the system when finished or stepping away from my workstation. - I understand that my account activity is **logged and auditable**. ## 3. Device Security - I will **not** store patient information on personal devices, USB drives, or cloud storage. - If I use a mobile device with the Kinometric app, I will use a device passcode or biometric lock. - I will **immediately report** a lost or stolen device that has accessed the Kinometric system. ## 4. Email and Communication - I will **not** include patient names or identifiable information in email subject lines. - I will only send PHI via the approved Kinometric email system (encrypted PDF attachments). - I will verify recipient email addresses before sending any patient information. ## 5. Reporting Obligations - I will **immediately report** any suspected security incident, breach, or unauthorized access to the Security Officer. - Examples of reportable events: - Suspicious login attempts or unfamiliar account activity - Accidental disclosure of PHI to the wrong person - Phishing emails or suspicious links - Lost or stolen devices - Software behaving unexpectedly - I understand that **prompt reporting is required** regardless of whether damage occurred. - I will **not** attempt to investigate suspected breaches on my own. ## 6. Consequences of Violation - I understand that violation of this agreement may result in: - Disciplinary action, up to and including termination - Revocation of system access - Civil and criminal penalties under HIPAA (fines up to $250,000 and imprisonment up to 10 years for knowing misuse) ## 7. Termination of Access - Upon termination of my role, I will: - Return any devices or materials containing PHI - Confirm that no PHI remains on personal devices - Understand that my confidentiality obligations **continue indefinitely** after termination ## 8. Acknowledgment I have read and understand this agreement. I have had the opportunity to ask questions. I agree to comply with all terms. | Field | | |-------|---| | **Printed Name** | ________________________________ | | **Signature** | ________________________________ | | **Date** | ________________________________ | | **Position/Role** | ________________________________ | | **Witness Name** | ________________________________ | | **Witness Signature** | ________________________________ | --- *Retain signed copies for a minimum of 6 years per HIPAA documentation requirements (45 CFR 164.530(j)). Each workforce member with access to PHI must sign before being granted system access.*