HIPAA Compliance

Our HIPAA Commitment

GenomOncology, LLC ("we," "us," or "our") is committed to ensuring that Advocate meets and exceeds the requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA). We understand that the health information you entrust to us is among your most sensitive personal data, and we treat it with the utmost care and security.

Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for the protection of sensitive patient health information. HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates.

Key HIPAA Components

• Privacy Rule: Establishes standards for how PHI can be used and disclosed, and gives patients rights over their health information
• Security Rule: Sets national standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards
• Breach Notification Rule: Requires notification to affected individuals, HHS, and sometimes media following a breach of unsecured PHI
• Enforcement Rule: Establishes civil and criminal penalties for HIPAA violations
• Omnibus Rule: Extended HIPAA requirements to business associates and strengthened privacy protections

What is Protected Health Information (PHI)?

PHI is any individually identifiable health information that relates to:

• An individual's past, present, or future physical or mental health condition
• The provision of healthcare to an individual
• Past, present, or future payment for healthcare services

PHI in Advocate

Examples of PHI that may be stored and processed in Advocate include:

• Patient Identifiers:
  • Patient name, date of birth, gender
  • Medical record numbers
  • Contact information
• Medical Information:
  • Diagnoses and medical conditions
  • Medications, dosages, and schedules
  • Allergies and adverse reactions
  • Treatment plans and care notes
• Health Metrics:
  • Vital signs (blood pressure, heart rate, temperature, SpO2)
  • Food and fluid intake records
  • Bathroom activity logs
  • Catheter care records
  • Physical and occupational therapy exercises
  • Mental health observations
• Care Coordination Data:
  • Appointments and schedules
  • Care team communications
  • Health summaries and reports

Administrative Safeguards

We implement comprehensive administrative measures to ensure HIPAA compliance:

Security Management

• Designated Officers: Appointed Privacy Officer and Security Officer responsible for HIPAA compliance
• Risk Analysis: Regular risk assessments to identify and address potential vulnerabilities
• Risk Management: Documented security measures to reduce risks to appropriate levels
• Sanction Policy: Disciplinary actions for workforce members who violate security policies

Policies and Procedures

• Comprehensive written policies and procedures for handling PHI
• Regular review and updates to policies (at least annually)
• Documentation of all security-related actions and decisions
• Incident response and breach notification procedures

Workforce Security

• Background Checks: Appropriate screening for workforce members with PHI access
• Access Authorization: Formal procedures for granting PHI access
• Access Termination: Immediate termination of access upon role change or separation
• Security Training: All workforce members complete HIPAA training upon hire and annually thereafter

Security Awareness Training

• Initial HIPAA training for all new workforce members
• Annual refresher training on privacy and security practices
• Role-specific training for workforce members with elevated PHI access
• Ongoing security awareness programs addressing emerging threats
• Phishing awareness and social engineering training

Physical Safeguards

We protect the physical infrastructure that stores and processes ePHI:

Facility Access Controls

• Data Center Security: Our cloud infrastructure providers maintain SOC 2 Type II certified data centers with:
  • 24/7 security personnel and surveillance
  • Biometric access controls
  • Mantrap entries
  • Visitor logs and escort requirements
• Environmental Controls: Protection against environmental threats including fire suppression, climate control, and redundant power

Workstation and Device Security

• Policies for secure workstation use
• Automatic screen locks and session timeouts
• Encryption of all portable devices
• Remote wipe capability for lost or stolen devices

Media and Hardware Disposal

• Secure destruction of hardware containing PHI
• Certified media sanitization before disposal or reuse
• Documentation of all disposal activities

Technical Safeguards

We employ comprehensive technical measures to protect ePHI:

Access Controls

• Unique User Identification: Every user has a unique identifier for tracking access
• Authentication:
  • Strong password requirements (minimum 12 characters with complexity)
  • Multi-factor authentication via authenticator app or SMS
  • Device-level biometric authentication (Face ID, Touch ID) - processed on-device only
• Automatic Logoff: Sessions expire after 15 minutes of inactivity
• Account Lockout: Accounts locked after 5 failed login attempts
• Role-Based Access Control: Users only access PHI necessary for their role:
  • Primary Advocates: Full access to patient information
  • Hospital Advocates: Clinical access with limited team management
  • Remote Advocates: Customizable view/edit permissions
  • Therapists: Access limited to relevant therapy modules

Encryption

• Data in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
• Application-Level Encryption: Sensitive data such as health summaries is encrypted at the application level before storage
• Database Security: Our database is hosted in a secure, access-controlled environment with the following protections:
  • Network isolation and firewall protection
  • Access restricted to authorized application services only
  • Regular security patching and updates
  • Automated backups with secure storage
• Message Security: Messages between care team members are transmitted over encrypted connections and stored in our secure database with role-based access controls
• Key Management:
  • Secure key generation and storage
  • Key rotation policies
  • Environment-based key protection with restricted access

Audit Controls

• Comprehensive Logging: All access to PHI is logged with:
  • User identification
  • Timestamp
  • Action performed (view, create, modify, delete)
  • Data accessed
  • IP address and device information
• Log Protection: Audit logs are protected against modification or deletion
• Log Retention: Audit logs are retained in accordance with HIPAA requirements
• Regular Review: Automated and manual review of audit logs for suspicious activity

Integrity Controls

• Data Validation: Input validation to ensure data integrity
• Checksums: Verification of data integrity during transmission
• Change Detection: Mechanisms to detect unauthorized alterations to PHI
• Version Control: Tracking of all changes to PHI

Transmission Security

• All data transmitted over encrypted channels (TLS)
• Certificate pinning to prevent man-in-the-middle attacks
• Secure API endpoints with authentication requirements

Push Notifications

We use third-party push notification services to deliver alerts and reminders to your mobile device:

• Minimized PHI: Push notifications are designed to contain minimal health information. Notifications typically include general alert types (e.g., "Medication Reminder") rather than specific PHI details.
• Device Display: Notification content may be visible on your device's lock screen depending on your device settings. We recommend configuring your device to hide notification previews for sensitive apps.
• User Control: You can disable push notifications at any time through the app settings or your device settings.
• Service Provider: Push notifications are delivered through Firebase Cloud Messaging, which transmits notification metadata through Google's infrastructure.

Business Associate Agreements

We maintain Business Associate Agreements (BAAs) with third-party service providers who may access PHI, where such agreements are available. These agreements ensure our partners:

• Implement appropriate administrative, physical, and technical safeguards
• Report any security incidents or suspected breaches within 24 hours
• Use PHI only for authorized purposes
• Return or securely destroy PHI upon contract termination
• Extend the same protections to any subcontractors

Our Business Associates

• Cloud Infrastructure: HIPAA-compliant hosting with SOC 2 Type II certification and signed BAA
• Communication Services: Push notification and email delivery services with appropriate agreements
• Drug Database Providers: Medication information and interaction checking services

Important Disclosure: AI Services

AI Features Affected

The following features transmit data to our private AI services for processing:

• Voice transcription and voice commands
• AI-powered voice assistant (AI Advocate)
• Natural language processing for data entry
• AI-generated health summaries and reports
• Intelligent search and query features

Security Measures in Place

While our AI services are not HIPAA compliant, we have implemented significant security measures:

• Private Deployment: Our AI services are deployed in a private, isolated environment not exposed to the public internet
• Encryption: All data transmitted to our AI services is encrypted using TLS 1.2 or higher
• No Model Training: Your data is not used to train or improve AI models
• Data Minimization: We transmit only the minimum data necessary for processing
• No Persistent Storage: Our AI services do not retain your data after processing
• SOC 2 Type II: Our AI infrastructure maintains SOC 2 Type II compliance
• Geographic Controls: Data is processed in U.S.-based data centers

Your Choices

You have control over AI feature usage:

• Optional Use: All AI-powered features are optional. You can use the app without utilizing any AI features
• Manual Entry: You may enter all data manually instead of using voice transcription
• Informed Consent: By using AI features, you consent to data processing by non-HIPAA-compliant services

Our Commitment

We are actively monitoring the availability of HIPAA-compliant AI services and will transition to compliant alternatives as they become available. We will notify users when such transitions occur.

Breach Notification Procedures

In the unlikely event of a breach involving unsecured PHI, we follow strict notification procedures:

Breach Assessment

• Immediate investigation upon discovery of potential breach
• Risk assessment to determine probability that PHI was compromised
• Documentation of investigation findings and decisions

Notification Requirements

• Individual Notice: Affected individuals notified within 60 days of discovery via:
  • First-class mail to last known address
  • Email (if individual has agreed to electronic notice)
  • Substitute notice if contact information is insufficient
• HHS Notification:
  • Breaches affecting 500+ individuals: Notified within 60 days
  • Breaches affecting fewer than 500: Annual log submission
• Media Notice: For breaches affecting 500+ individuals in a state, notification to prominent media outlets

Notice Contents

Breach notifications include:

• Description of the breach and types of information involved
• Steps individuals should take to protect themselves
• Actions taken to investigate and mitigate the breach
• Contact information for questions

Your Rights Under HIPAA

HIPAA provides you with important rights regarding your Protected Health Information:

Right to Access

• You may request copies of your PHI maintained by Advocate
• We will respond within 30 days (with one 30-day extension if needed)
• You may request electronic copies in a portable format
• We may charge a reasonable cost-based fee for copies

Right to Amend

• You may request corrections to PHI you believe is inaccurate or incomplete
• We will respond within 60 days
• If we deny the request, you may submit a statement of disagreement

Right to Accounting of Disclosures

• You may request a list of certain disclosures of your PHI
• Accounting covers disclosures made up to 6 years before your request
• Excludes disclosures for treatment, payment, or healthcare operations
• First request in any 12-month period is free

Right to Request Restrictions

• You may request restrictions on how we use or disclose your PHI
• We are not required to agree to all restrictions, but will consider them
• We must agree to restrict disclosures to health plans for services you paid for in full out-of-pocket

Right to Request Confidential Communications

• You may request that we communicate with you about PHI in a certain way or at a certain location
• We will accommodate reasonable requests

Right to File a Complaint

• You may file a complaint with us if you believe your privacy rights have been violated
• You may also file a complaint with the HHS Office for Civil Rights
• We will not retaliate against you for filing a complaint

Minimum Necessary Standard

We adhere to HIPAA's minimum necessary standard:

• We only access, use, or disclose the minimum PHI necessary to accomplish the intended purpose
• Role-based permissions ensure users only see information relevant to their care responsibilities
• Automated controls limit data exposure based on user permissions
• We regularly review and adjust access levels

Security Incident Response

We maintain documented procedures for responding to security incidents:

1. Detection: Automated monitoring, intrusion detection systems, and user reporting mechanisms
2. Containment: Immediate action to isolate affected systems and prevent further damage
3. Assessment: Rapid evaluation of incident scope, data affected, and potential harm
4. Eradication: Removal of threat and restoration of system integrity
5. Recovery: Return to normal operations with enhanced monitoring
6. Documentation: Complete documentation of incident and response actions
7. Lessons Learned: Post-incident review and process improvements

Compliance Verification

We regularly verify our HIPAA compliance through:

• Internal Audits: Regular self-assessments of policies, procedures, and controls
• External Assessments: Third-party security assessments and penetration testing
• Vulnerability Scanning: Automated scanning for security vulnerabilities
• Continuous Monitoring: Ongoing evaluation of security controls and threat landscape
• Policy Reviews: Annual review and updates to all policies and procedures
• Compliance Training: Regular training updates for workforce members

State Privacy Laws

In addition to HIPAA, we comply with applicable state privacy laws, which may provide additional protections. Where state law provides greater protection than HIPAA, we follow the more stringent standard.

No Waiver of HIPAA Rights

Questions and Complaints

If you have questions about our HIPAA compliance practices, wish to exercise your HIPAA rights, or wish to file a complaint, please contact:

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

We will not retaliate against you for filing a complaint.

Updates to This Notice

We reserve the right to change this notice and make the revised notice effective for PHI we already have about you as well as any information we receive in the future. We will:

• Post the updated notice on our website
• Make the updated notice available within the Advocate application
• Notify users of material changes via email or in-app notification