HIPAA Notice

Our commitment to protecting your health information

Important Clarification: Elderisyn is not a "covered entity" or "business associate" as defined under the Health Insurance Portability and Accountability Act (HIPAA). As a consumer-facing caregiver support tool, we are not legally required to comply with HIPAA regulations. However, we voluntarily implement HIPAA-grade security safeguards because we believe your health-related information deserves the highest standard of protection.

Our Status Under HIPAA

HIPAA applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — and their "business associates." Elderisyn is a consumer technology product designed for caregiver use and does not fall into any of these categories.

This means that while HIPAA regulations do not legally apply to Elderisyn, we have chosen to voluntarily adopt security standards that meet or exceed HIPAA requirements for protecting health-related information. We do this because we believe it is the right thing to do.

Voluntary HIPAA-Grade Safeguards

We implement the following safeguards aligned with HIPAA's Security Rule standards:

Administrative Safeguards

  • Security management: We maintain a comprehensive security program with regular risk assessments and mitigation strategies.
  • Workforce security: Access to health-related data is restricted to authorized personnel only, with role-based access controls.
  • Information access management: We implement the principle of least privilege — employees access only the data necessary for their specific role.
  • Security awareness training: All team members receive regular training on security best practices and data handling procedures.
  • Security incident procedures: We maintain documented procedures for identifying, responding to, and mitigating security incidents.
  • Contingency planning: We maintain data backup, disaster recovery, and emergency operation plans.

Physical Safeguards

  • Facility access controls: Our cloud infrastructure providers maintain SOC 2 Type II compliance with strict physical access controls.
  • Workstation security: All devices used to access production systems are encrypted and managed with security policies.
  • Device and media controls: Strict procedures govern the disposal and reuse of electronic media containing health information.

Technical Safeguards

  • Access control: Unique user identification, automatic logoff, and encryption/decryption mechanisms protect data access.
  • Audit controls: All access to health-related data is logged with timestamps, user identification, and action taken.
  • Integrity controls: Mechanisms are in place to protect data from improper alteration or destruction.
  • Transmission security: All data transmission is encrypted using industry-standard protocols.

Encryption Standards

We employ the following encryption standards to protect your data:

  • Data in transit: TLS 1.2 or higher with strong cipher suites for all network communications.
  • Data at rest: AES-256 encryption for all health-related observations and personal information stored in our databases.
  • Backup encryption: All data backups are encrypted using AES-256 encryption.
  • Key management: Encryption keys are managed through secure key management services with regular rotation.

Audit Logging

We maintain comprehensive audit logs that record:

  • All access to health-related observation data
  • Data creation, modification, and deletion events
  • Authentication events (login, logout, failed attempts)
  • Administrative actions affecting data security
  • Report generation and data export events

Audit logs are retained for a minimum of six years and are protected against tampering.

Breach Notification

Although we are not legally required to follow HIPAA breach notification rules, we voluntarily commit to the following:

  • We will notify affected users within 72 hours of discovering a confirmed data breach involving health-related information.
  • Notification will include the nature of the breach, the types of information involved, steps we are taking, and recommendations for affected users.
  • We will cooperate fully with any regulatory investigations related to data security.

Your Rights

Regardless of our HIPAA status, we provide you with rights consistent with HIPAA's Privacy Rule:

  • Right to access: You can access all your observation data at any time through the app.
  • Right to amendment: You can request corrections to your recorded observations.
  • Right to an accounting of disclosures: You can request information about how your data has been shared.
  • Right to restriction: You can request restrictions on how your data is used.
  • Right to deletion: You can request complete deletion of your data.

Third-Party Service Providers

When we engage third-party service providers who may access health-related data, we require them to maintain security standards consistent with our own commitments. This includes executing data processing agreements that specify security requirements, use limitations, and breach notification obligations.

Continuous Improvement

We are committed to continuously improving our security practices. We regularly review and update our safeguards in response to evolving threats, industry best practices, and regulatory developments. Our goal is to exceed, not merely meet, the standards that protect your most sensitive information.

Contact Our Privacy Team

If you have questions about our HIPAA-grade safeguards or data protection practices, please contact: