Protecting Your Genetic and Health Information

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting the privacy and security of individually identifiable health information, including genetic data, laboratory results, and personal health records.

Our HIPAA Status

YouHeal operates as a HIPAA-covered entity and maintains comprehensive compliance with all HIPAA regulations, including:

• Privacy Rule - Protecting the privacy of your health information

• Security Rule - Safeguarding electronic health information

• Breach Notification Rule - Prompt notification of any data breaches

• Designated Privacy Officer - Responsible for HIPAA compliance oversight

• Employee Training - Regular HIPAA training for all staff members

• Access Controls - Role-based access to patient information

• Business Associate Agreements - All third-party vendors sign HIPAA-compliant agreements

• Incident Response Plan - Comprehensive procedures for handling potential breaches

• Secure Facilities - Access-controlled data centers with 24/7 monitoring

• Workstation Security - Secured computers and mobile devices

• Media Controls - Secure storage and disposal of electronic media

• Device Controls - Inventory tracking of all devices containing PHI

• Encryption - End-to-end encryption of all data in transit and at rest

• Access Controls - Multi-factor authentication and user verification

• Audit Logs - Comprehensive logging of all system access and activities

• Data Integrity - Controls to ensure PHI is not altered or destroyed inappropriately

• Transmission Security - Secure protocols for all data communications

• Request copies of your health records and genetic data

• Receive information in the format you prefer when possible

• Direct us to transmit copies to a third party you designate

• Request corrections to your health information if you believe it is incorrect or incomplete

• We will review your request and make appropriate changes

• Request limitations on how we use or share your health information

• We will accommodate reasonable requests when possible

• Request that we communicate with you about your health information in a specific way or location

• We will accommodate reasonable requests

• Request a list of disclosures of your health information we have made

• Includes information about who received your data and when

• Be notified if there is a breach of your health information

• Receive details about what information was involved and steps we are taking

• DNA analysis results and genetic variants

• Genetic risk assessments and health predispositions

• Personalized genetic reports and recommendations

• Laboratory test results and biomarkers

• Health questionnaires and assessments

• Medical history and current health status

• Supplement and medication information

• Contact information and demographics

• Billing and payment information

• Communication preferences

• Healthie EHR system interaction and clinical workflow data

• Website and YouHeal platform interaction data

• Progress tracking and health optimization outcomes

• Educational content engagement and platform utilization

• Azure analytics for system performance and user experience optimization

• Providing personalized health recommendations through our AI algorithms

• Creating genetic-based optimization protocols using Azure machine learning

• Coordinating with your healthcare providers through Healthie EHR (with your consent)

• Facilitating laboratory testing through Rupa Health and DNAlife partnerships

• Generating comprehensive health reports and genetic analysis

• Processing payments for services

• Quality improvement initiatives

• Customer support and service delivery

• Compliance with legal requirements

• Public health and safety reporting (when required)

• Law enforcement requests (when legally mandated)

• Providing personalized health recommendations through our AI algorithms

• Creating genetic-based optimization protocols using Azure machine learning

• Coordinating with your healthcare providers through Healthie EHR (with your consent)

• Facilitating laboratory testing through Rupa Health and DNAlife partnerships

• Generating comprehensive health reports and genetic analysis

• Healthie - HIPAA-compliant EHR platform for patient data management, secure communications, and clinical workflow

• Rupa Health - Laboratory testing coordination and results management

• DNAlife - Genetic testing and DNA analysis services

• Additional laboratory partners for comprehensive biomarker testing

• Microsoft Azure - HIPAA-compliant cloud infrastructure for data storage, processing, and analysis

• Azure AI and Machine Learning services - For genetic data analysis and health optimization algorithms

• Azure security and encryption services - For data protection and access controls

• Payment processing services - For secure billing and transactions

• Customer support platforms - For client communications and service delivery

• Required by law or court order

• Public health authorities require reporting

• To prevent serious threat to health or safety

• For law enforcement purposes (when legally required)

• For workers' compensation claims

• To coroners, medical examiners, or funeral directors

• AES-256 encryption for all data at rest using Azure Storage Service Encryption

• TLS 1.3 encryption for all data in transit

• Azure Key Vault for secure encryption key management and rotation

• Zero-trust security model with continuous verification through Azure AD

• Regular security audits and penetration testing of all systems

• Microsoft Defender for Cloud for advanced threat protection

• Azure Active Directory multi-factor authentication required for all accounts

• Role-based access permissions through Azure RBAC limiting data exposure

• Privileged Identity Management for administrative access controls

• Regular access reviews and permission audits through Azure AD

• Automatic session timeouts with configurable security policies

• Conditional access policies based on risk assessment and device compliance

• Microsoft Azure HIPAA-compliant cloud hosting with SOC 2 certified data centers

• Azure Key Vault for encryption key management and secure credential storage

• Azure Security Center for continuous threat monitoring and vulnerability assessment

• Geographic redundancy with automated failover and disaster recovery

• Azure Active Directory for identity and access management

• Redundant backups with geographic distribution and point-in-time recovery

• 24/7 security monitoring through Azure Security Operations Center

• Regular security updates and automated patch management through Azure services

• Background checks for all employees handling PHI

• Signed confidentiality agreements for all staff

• Regular security training and awareness programs

• Strict access policies with principle of least privilege

• Genetic Non-Discrimination - We never share genetic information with insurance companies or employers

• Family Privacy - Genetic information that may affect family members is handled with extra care

• Research Participation - Any research use requires explicit opt-in consent

• Data Minimization - We only collect genetic data necessary for your health optimization

• The implications of your genetic results

• How genetic information affects health decisions

• Family planning considerations

• Psychological support for genetic findings

• Continuous monitoring of all systems and access

• Employee training on recognizing and preventing breaches

• Regular risk assessments and security updates

• Incident simulation exercises and response drills

1. Immediate containment - Stop the breach and secure systems

2. Risk assessment - Evaluate the scope and impact

3. Notification - Contact affected individuals within 60 days

4. Regulatory reporting - Notify HHS and other authorities as required

5. Remediation - Implement measures to prevent future incidents

6. Documentation - Maintain detailed records of the incident and response

• Right to erasure (right to be forgotten)

• Data portability - Transfer your data in a machine-readable format

• Consent management - Clear opt-in and opt-out mechanisms

• Data Protection Officer - Designated DPO for European clients

• SOC 2 Type II certification

• ISO 27001 information security management

• NIST Cybersecurity Framework implementation

• Use strong passwords and enable multi-factor authentication

• Keep login credentials secure and do not share accounts

• Log out completely when using shared computers

• Report suspicious activity immediately to our support team

• Provide accurate information for the best health recommendations

• Update your information when changes occur

• Review your data regularly for accuracy

• Report errors promptly so we can make corrections

Dr. Vandenberg M.D.
HIPAA Privacy Officer YouHeal

Email: legal@youheal.com

Phone: PHONE

For general questions about your account or services:

Email: support@youheal.com

Phone: PHONE

Hours: Monday-Friday, 8 AM - 8 PM EST

For HIPAA-related questions or concerns:

Email: legal@youheal.com

Mail: YouHeal Compliance Department

[Address]

Email: legal@youheal.com

Phone: PHONE

Mail: YouHeal Compliance Department

[Address]

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201

Phone: 1-877-696-6775

Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

No Retaliation Policy: We will not retaliate against you for filing a complaint or exercising your privacy rights.

We may update this HIPAA compliance notice to:

• Reflect changes in our practices

• Comply with new legal requirements

• Improve our privacy protections

• Address new technologies or services

We will notify you of material changes by:

• Email notification to your registered email address

• Website posting with prominent notice of updates

• Platform notification when you next log in

• Postal mail for significant changes affecting your rights

Effective Date: August 7, 2025

Last Updated: August 7, 2025