HIPAA Compliance Notice

1. Entity structure

VindexAI Wellness LLC is a subsidiary of VindexAI Holdings. All processing of Protected Health Information occurs through VindexAI Wellness LLC. This separation ensures that PHI handling is governed by a dedicated entity with appropriate compliance controls.

VindexAI Wellness LLC operates as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with each covered entity (healthcare provider or clinic) before processing any PHI.

2. How VindexAI Health works

VindexAI Health is an AI-powered longevity coaching platform that operates within clinical settings. It does not accept patients directly. Patients are enrolled by their healthcare provider, and all PHI flows through that provider relationship.

• Healthcare providers (covered entities) enroll patients into Val.
• Val processes wearable device data, lab results, and protocol adherence information.
• AI coaching is delivered to patients based on protocols defined by their provider.
• Providers retain full control over patient data and treatment protocols.

3. Technical safeguards

We implement the following safeguards to protect PHI:

• Infrastructure: Google Cloud Platform with a signed BAA. All PHI is stored in HIPAA-eligible GCP services.
• Encryption at rest: All stored PHI is encrypted using AES-256 encryption.
• Encryption in transit: All data transmission uses TLS 1.2 or higher.
• Access controls: Role-based access with multi-factor authentication. Minimum necessary access principle enforced.
• Audit logging: All access to PHI is logged with user identity, timestamp, and action performed. Logs are retained for a minimum of six years.
• Backup and recovery: Regular encrypted backups with tested recovery procedures.

4. Patient rights

Patients whose PHI is processed through Val have the following rights under HIPAA:

• Right to access: You may request a copy of the PHI we hold about you.
• Right to amendment: You may request corrections to your PHI if you believe it is inaccurate or incomplete.
• Right to accounting of disclosures: You may request a record of when and to whom your PHI was disclosed.
• Right to restrict: You may request restrictions on how your PHI is used or disclosed, though we are not always required to agree.
• Right to confidential communications: You may request that we communicate with you through specific channels.

To exercise any of these rights, contact your healthcare provider or reach out to us directly at compliance@vindexai.io.

5. Breach notification

In the event of a breach of unsecured PHI, VindexAI Wellness LLC will:

• Notify the affected covered entity without unreasonable delay and no later than 60 days after discovery of the breach.
• Provide sufficient information for the covered entity to fulfill its notification obligations to affected individuals and the Department of Health and Human Services (HHS).
• Cooperate fully with the covered entity in investigating and mitigating the breach.
• Document the breach, its investigation, and corrective actions taken.

6. Subcontractors

Any subcontractors who access PHI on our behalf are required to sign BAAs and comply with the same safeguards described in this notice. We conduct due diligence on all subcontractors before granting access to PHI.

7. Not a general health app

VindexAI Health is not a consumer health application. It does not accept sign-ups from the general public. All patient access is mediated through a licensed healthcare provider with a signed BAA. If you are interested in using Val at your practice, contact us.

8. Contact

For HIPAA-related questions, concerns, or to exercise your rights:

VindexAI Wellness LLC
Louisville, KY
compliance@vindexai.io