HIPAA Compliance
PulseGuardian is built with privacy and security at its core. Learn how we protect your health data in accordance with HIPAA standards.
🔒 PulseGuardian is designed with HIPAA-aware security practices. We apply industry-leading safeguards to protect all health information stored and processed on our platform.
⚠ Important Notice: PulseGuardian is a wellness tracking platform, not a covered entity under HIPAA. However, we voluntarily apply HIPAA-aligned security practices to protect your health data to the highest standard.
Table of Contents
1. What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law enacted in 1996 that establishes national standards for the protection of sensitive patient health information.
HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. It requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
While PulseGuardian is a wellness platform and not a covered entity under HIPAA, we voluntarily adopt HIPAA-aligned security standards because we believe your health data deserves the highest level of protection available.
2. Our HIPAA-Aware Approach
PulseGuardian has built its entire platform with health data privacy as a foundational principle. Our HIPAA-aware approach means:
- We treat all health data entered by users as sensitive protected information
- We apply the same technical safeguards required of HIPAA-covered entities
- We never share, sell, or monetize your health information
- We limit access to health data strictly to what is needed to provide the Service
- We maintain detailed audit logs of all data access and modifications
- We train all staff on health data privacy and security best practices
🎯 Our goal is simple: to protect your health data as if it were our own. HIPAA is our minimum standard, not our ceiling.
3. Security Safeguards
We implement three categories of safeguards aligned with HIPAA Security Rule requirements:
Technical Safeguards
AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, automatic session timeouts, and role-based access controls.
Physical Safeguards
Data hosted in SOC 2 Type II certified data centers with controlled physical access, surveillance, and environmental controls.
Administrative Safeguards
Written security policies, regular staff training, designated security officer, risk assessments, and incident response procedures.
Audit Controls
Comprehensive audit logs tracking all data access, modifications, and exports. Logs are retained for a minimum of 6 years.
Access Controls
Unique user IDs, automatic logoff, Row Level Security ensuring users only access their own data, and principle of least privilege.
Integrity Controls
Data integrity verification, backup systems, and disaster recovery procedures to prevent unauthorized alteration or destruction.
4. Protected Health Information (PHI)
PulseGuardian handles the following types of health-related data that we treat as sensitive protected information:
- Heart rate, blood pressure, and other vital sign measurements
- Sleep quality data and sleep session records
- Stress level measurements and monitoring data
- Medication names, dosages, and adherence records
- Health anomaly alerts and detection events
- AI-generated health insight reports
- Personal health goals and wellness preferences
All of the above data is encrypted, access-controlled, and never shared with third parties without your explicit consent.
5. Compliance Measures
Here is how PulseGuardian aligns with key HIPAA requirements:
| HIPAA Requirement | PulseGuardian Practice | Status |
|---|---|---|
| Data Encryption at Rest | AES-256 encryption on all stored health data | Implemented |
| Data Encryption in Transit | TLS 1.3 on all data transmissions | Implemented |
| Access Controls | Role-based access, Row Level Security, unique user IDs | Implemented |
| Audit Logs | Full audit trail of all data access and changes | Implemented |
| Automatic Session Timeout | Sessions expire after 30 minutes of inactivity | Implemented |
| Data Backup & Recovery | Daily encrypted backups with tested recovery procedures | Implemented |
| Risk Assessments | Regular security audits and vulnerability assessments | Implemented |
| Staff Training | All staff trained on health data privacy and security | Implemented |
| Business Associate Agreements | BAAs in place with all third-party vendors handling health data | HIPAA-Aware |
| Breach Notification | Users notified within 72 hours of any confirmed data breach | Implemented |
6. Third-Party Vendors
PulseGuardian works with a limited number of trusted third-party vendors to operate our platform. Each vendor that may access health data is carefully vetted and bound by strict data processing agreements:
- Supabase — Database hosting with SOC 2 Type II certification and encryption at rest
- OpenAI — AI health insight generation under enterprise data processing agreement (data not used for training)
- Stripe — Payment processing with PCI DSS Level 1 compliance (no health data shared)
- SendGrid — Transactional email delivery (only name and email shared, no health data)
We do not share health data with advertisers, data brokers, insurance companies, employers, or any other third party not listed above.
7. Data Breach Policy
In the unlikely event of a data breach involving health information, PulseGuardian will:
- Immediately contain and investigate the breach upon discovery
- Notify affected users within 72 hours of confirming the breach
- Provide clear information about what data was affected and what steps to take
- Report to relevant regulatory authorities as required by applicable law
- Take immediate steps to prevent future incidents
- Offer identity protection services if sensitive personal data was compromised
To report a suspected security vulnerability or breach, contact us immediately at security@pulseguardian.com.
8. Your Rights Regarding Health Data
You have the following rights regarding your health data stored on PulseGuardian:
- Right to Access: Download a complete copy of all your health data at any time from your account settings
- Right to Correct: Edit or correct any inaccurate health data entries
- Right to Delete: Request permanent deletion of all your health data at any time
- Right to Restrict: Limit how your health data is used within our platform
- Right to Portability: Export your health data in standard formats (CSV, JSON)
- Right to Object: Opt out of AI processing of your health data for insights
To exercise any of these rights, contact privacy@pulseguardian.com. We will respond within 30 days.
9. Contact Us
For questions about our HIPAA-aware practices or to report a security concern:
- Privacy inquiries: privacy@pulseguardian.com
- Security reports: security@pulseguardian.com
- General support: support@pulseguardian.com
- Company: PulseGuardian LLC
Questions About Data Security?
Our privacy team is ready to answer any questions about how we protect your health data.
privacy@pulseguardian.com