HIPAA Compliance Statement
Bariatric AI ("Bariatric AI") is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable implementing regulations (collectively, "HIPAA").
Business Associate role. When a HIPAA-regulated covered entity (such as a clinic, hospital, or qualified provider) uses the Services to process PHI, Bariatric AI acts as a Business Associate and operates under an executed Business Associate Agreement ("BAA").
1. Scope
This statement applies to PHI processed by Bariatric AI on behalf of U.S. covered entities. It does not, by itself, create a BAA. A signed BAA is required before any PHI is processed by the Services.
2. Administrative Safeguards
- Designated HIPAA Privacy Officer and Security Officer.
- Documented policies and procedures covering workforce training, access management, incident response, and sanction policy.
- Annual security risk analysis and risk management process aligned to NIST SP 800-66 / 800-53 controls (as applicable).
- Background checks for workforce members with access to PHI, where permitted by law.
- Vendor / subcontractor management with downstream BAAs where required.
3. Physical Safeguards
- PHI hosted in SOC 2 / ISO 27001 certified data centers operated by HIPAA-aligned cloud providers.
- Restricted facility access, environmental controls, and media-handling procedures handled by the underlying cloud provider.
- Workstation use and device controls, including encrypted endpoints and MDM for workforce members.
4. Technical Safeguards
Encryption in transit
TLS 1.2+ for all client-server communication.
Encryption at rest
AES-256 for stored PHI, including database and backups.
Access control
Role-based access, principle of least privilege, MFA for administrative access.
Audit logging
Tamper-evident logs of access to PHI, retained per policy.
Integrity controls
Mechanisms to detect unauthorized alteration of PHI.
Automatic logoff
Session timeouts for inactivity on clinical interfaces.
5. AI Models & PHI
Our AI agents process PHI only as necessary to deliver the Services to the covered entity and its authorized users. We:
- Use AI inference providers under agreements that prohibit model training on customer PHI.
- Apply data-minimization to inputs sent to external models, including de-identification where feasible.
- Maintain audit trails of agent interactions involving PHI.
6. Breach Notification
If Bariatric AI discovers a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and no later than [60] days after discovery, in accordance with 45 C.F.R. § 164.410 and the terms of the applicable BAA.
7. Patient Rights
HIPAA grants patients rights over their PHI, including the right to access, request amendment, obtain an accounting of disclosures, and request restrictions. To exercise these rights, patients should contact their treating clinic, which acts as the covered entity. Bariatric AI supports clinics in responding to such requests.
8. Subcontractors
Bariatric AI executes BAAs with subcontractors that may create, receive, maintain, or transmit PHI on our behalf. A current list of subprocessors that may handle PHI is available upon request at legal@bariatricai.io.
9. Workforce Training
All workforce members complete HIPAA Privacy and Security training upon hire and at least annually thereafter. Additional role-specific training is provided to engineers, support, and clinical-operations staff with access to PHI.
10. Incident Response
We maintain a documented incident-response plan covering detection, containment, eradication, recovery, post-incident review, and notification obligations. Tabletop exercises are performed at least annually.
11. Limitations
This statement describes our HIPAA-related practices in general terms and is not a contractual commitment. Specific obligations are governed by the executed BAA between Bariatric AI and the covered entity.
12. Requesting a BAA
To request a Business Associate Agreement or learn more about our compliance program, contact:
Bariatric AI
Attn: HIPAA Compliance
Buenos Aires, Argentina
Email: legal@bariatricai.io
This document is a wireframe placeholder. Final wording, certifications, and attestations must be reviewed and approved by qualified legal counsel and your security / compliance team before publication.