HIPAA Notice of Privacy Practices

Your Health Information Rights and Our Responsibilities

Effective: August 14, 2025

Last Updated: August 14, 2025

Version 2.0

HIPAA Compliant

Important Healthcare Privacy Notice

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

DEVELOPMENT PHASE NOTICE: Medisage is currently in development. This document outlines our planned HIPAA compliance approach and the privacy practices we intend to implement upon production launch. During development, no actual protected health information (PHI) is collected or processed.

If you have any questions about this notice, please contact us at privacy@medisage.app

Overview Your Rights Our Responsibilities Permitted Uses Disclosure Rules Security Measures File a Complaint Contact Us

Overview

Medisage is being developed with a commitment to protecting your health information. As we prepare for deployment, we are designing the platform to comply with HIPAA requirements for maintaining the privacy and security of your protected health information (PHI), and we provide you with this notice of our planned legal duties and privacy practices.

Development Stage Notice

Important: Medisage is currently in development phase. This notice outlines our planned approach to HIPAA compliance and the privacy practices we intend to implement upon launch. Until production deployment, no actual PHI will be processed or stored.

What is Protected Health Information (PHI)?

PHI includes any information about your health, healthcare services, or payment for healthcare that could identify you. This includes:

Medical records and health history
Lab results and diagnostic images
Medication lists and prescription information
Doctor's notes and treatment plans
Billing and insurance information

How This Notice Will Apply

Upon production deployment, this notice will apply to all health information maintained by Medisage, including:

Information stored in the Medisage mobile application
Data processed by our secure servers
Information shared with authorized healthcare providers
Any PHI created, received, or maintained by our platform

Current Status: During the development phase, any test data used is anonymized and does not contain real PHI.

Your Rights

You have the following rights regarding your health information:

Right to Access PHI

You have the right to inspect and receive copies of your protected health information (PHI) that we maintain.

Timeframe: We will provide your information within 30 days of your request
Format: Available in electronic or paper format as requested
Fees: We may charge a reasonable fee for copying costs
Access Method: Request access through the app, website, or by contacting us directly
Complete Records: Includes all PHI used to make decisions about your care

Right to Request Amendment

You have the right to request that we amend your health information if you believe it is incorrect or incomplete.

Written Request: Requests must be made in writing with supporting reasons
Review Process: We will review and respond within 60 days
Denial Conditions: We may deny if information is accurate, complete, or not created by us
Disagreement Statement: If denied, you have the right to file a statement of disagreement
Amendment Distribution: Approved amendments will be shared with relevant parties

Right to Accounting of Disclosures

You have the right to request a list of disclosures of your health information made by us for purposes other than treatment, payment, and healthcare operations.

Time Period: Covers disclosures made in the last 6 years (or since our start date)
Exclusions: Does not include routine treatment, payment, or operations disclosures
Free Accounting: First accounting in a 12-month period is free
Additional Requests: May charge reasonable fees for additional requests
Disclosure Details: Includes date, recipient, purpose, and description of disclosed information

Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your health information for treatment, payment, or healthcare operations.

Request Process: Restrictions must be requested in writing
Our Obligation: We are not required to agree to all restrictions
Compliance: If we agree, we will comply except in emergency situations
Termination: You may terminate restrictions at any time in writing
Emergency Exception: Restrictions do not apply to emergency treatment situations

Right to Confidential Communications

You have the right to request that we communicate with you about your health information by alternative means or at alternative locations.

Reasonable Requests: We will accommodate all reasonable requests
Contact Methods: You may request specific email addresses, phone numbers, or mailing addresses
Security Considerations: We may require information on how to contact you securely
Safety Protection: We will accommodate requests to protect your safety
Written Request: Requests should be made in writing for documentation

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this privacy notice at any time, even if you have agreed to receive it electronically.

Always Available: Available even if you received the notice electronically
Request Methods: Can be requested through our website, app, or direct contact
Prompt Delivery: We will provide it promptly upon request
No Cost: Paper copies are provided at no charge
Current Version: You will always receive the most current version

Contact Information for HIPAA-Related Requests and Complaints

Privacy Officer

Email: privacy@medisage.com

Subject Line: "HIPAA Request - [Type of Request]"

Response Time: Within 30 days for most requests

HIPAA Compliance Department

Email: hipaa@medisage.com

For: Complaints, violations, and compliance questions

Investigation: All complaints investigated within 60 days

Department of Health and Human Services

You may also file a complaint with the Secretary of Health and Human Services:

Website: www.hhs.gov/hipaa/filing-a-complaint/

Phone: 1-800-368-1019

⚖️ No Retaliation Policy

We will not retaliate against you for:

Filing a complaint with us or with the Department of Health and Human Services
Participating in HIPAA compliance activities
Exercising any of your rights under HIPAA
Opposing any act or practice that you believe violates HIPAA

Our Responsibilities

Medisage is committed to protecting your health information. Our responsibilities include:

Maintain Privacy and Security

We are required by law to maintain the privacy and security of your protected health information and to provide you with notice of our legal duties and privacy practices.

Notify You of Breaches

We must notify you if there is a breach of your unsecured protected health information that may have compromised the privacy or security of your information.

Follow Legal Requirements

We must follow the duties and privacy practices described in this notice and give you a copy of it.

Respect Your Choices

We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time.

Changes to Our Privacy Practices

We reserve the right to change our privacy practices and the terms of this notice. If we make material changes, we will:

Post the revised notice on our website and in our app
Make the new notice available upon request
Apply changes to all health information we maintain
Notify users of significant changes via email or app notification

How We May Use and Disclose Your Health Information

We may use and disclose your health information for the following purposes:

For Treatment

We may use your health information to provide, coordinate, or manage your healthcare and related services.

Examples include:

Displaying your medical history to authorized healthcare providers
Sharing lab results with your doctors
Coordinating care between multiple providers
Providing medication reminders and health insights

For Payment

We may use and disclose your health information to obtain payment for healthcare services.

Examples include:

Submitting claims to your insurance company
Verifying insurance coverage and benefits
Processing payment for premium features
Billing for healthcare services provided through our platform

For Healthcare Operations

We may use and disclose your health information for healthcare operations.

Examples include:

Quality assessment and improvement activities
Reviewing and improving our services
Training healthcare professionals
Conducting medical research (with proper authorization)

Other Uses and Disclosures

When Authorization is NOT Required

We may use or disclose your health information without your authorization in the following situations:

Emergency Situations

To provide emergency medical care when you are unable to provide authorization.

Legal Requirements

When required by law, court orders, or legal proceedings.

Public Health

To prevent or control disease, injury, or disability as required by public health authorities.

Health and Safety

To prevent a serious and imminent threat to health or safety.

When Authorization IS Required

We will obtain your written authorization before using or disclosing your health information for:

Marketing purposes (with limited exceptions)
Sale of your health information
Psychotherapy notes (with limited exceptions)
Any other purpose not described in this notice

Your Right to Revoke Authorization

You may revoke your authorization at any time by providing written notice to us. The revocation will not affect any use or disclosure that occurred before we received your revocation.

Security Safeguards

Medisage employs comprehensive security measures to protect your health information:

Technical Safeguards (Planned)

End-to-end encryption for all data transmission (implementation planned)
AES-256 encryption for data at rest (implementation planned)
Secure authentication and access controls (in development)
Security audits and penetration testing (planned for production)
Threat detection and monitoring systems (planned)

Administrative Safeguards

HIPAA compliance framework designed into software architecture
Access controls and user permissions built into platform design
Business Associate Agreements (BAAs) in development for PHI-handling vendors; some AI providers may not sign BAAs
Incident response procedures planned for production deployment
Security assessments planned as part of development lifecycle
Employee HIPAA training required for all team members

Business Associate Agreement (BAA) Program

Vendor Management & AI Processing Risks:

✅ HIPAA-Compliant Vendors

Cloud Storage: Railway, AWS, Google Cloud with signed BAAs
Database Providers: PostgreSQL hosting with HIPAA compliance
Infrastructure: All hosting providers maintain current BAAs
Security Monitoring: SOC 2 compliant security services

⚠️ AI Processing Risk Disclosure

OpenAI/GPT Services: Medical documents processed through OpenAI may not be covered by traditional healthcare BAAs
Google Cloud Vision: Image analysis services operate under cloud provider terms, not healthcare-specific agreements
Third-Party AI: As a startup, we may not have full healthcare BAAs with all AI providers
Data Exposure Risk: PHI in medical images/documents may be visible to AI processing services
Retention Policies: AI providers may retain data according to their standard policies, not healthcare requirements

🚀 Startup Compliance Limitations

As an early-stage healthcare startup, we acknowledge:

We are working toward full HIPAA compliance but may not meet all requirements initially
Some third-party AI services may not provide healthcare-grade BAAs to startups
We prioritize transparency about our current limitations over overstating compliance
Users should understand the privacy risks associated with early-stage health technology
We commit to improving compliance as we grow and scale our operations

📈 Our Compliance Roadmap

Phase 1: Establish BAAs with all critical infrastructure providers
Phase 2: Implement healthcare-grade AI processing or local anonymization
Phase 3: Pursue formal HIPAA compliance certification
Ongoing: Regular security audits and compliance assessments

Physical Safeguards

Cloud infrastructure with enterprise-grade security (planned deployment)
Secure hosting environment with access controls (vendor-managed)
Data backup and disaster recovery systems (planned)
Secure development environment and code management
Device security protocols for development team

Compliance Framework

Medisage is being developed with compliance frameworks in mind:

HIPAA Framework Security Design Privacy by Design Data Protection

Note: Formal certifications will be pursued upon production deployment and establishment of operational team.

File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint. You will not be retaliated against for filing a complaint.

File a Complaint with Medisage

Contact our Privacy Officer:

Email: privacy@medisage.app

Mail: Privacy Officer, Medisage (mailing address to be established upon launch)

Phone support will be available upon production launch

File a Complaint with HHS

You may also file a complaint with the U.S. Department of Health and Human Services:

Website: www.hhs.gov/hipaa/filing-a-complaint/

Phone: 1-877-696-6775

Mail: Office for Civil Rights, U.S. Department of Health and Human Services

What to Include in Your Complaint

Your name and contact information
Description of the privacy concern
Date(s) when the incident occurred
Names of people involved (if known)
Any relevant documentation

Contact Information

Privacy Officer

For privacy-related questions and requests

Email: privacy@medisage.app

Phone support will be available upon production launch

Customer Support

For general questions and technical support

Email: support@medisage.app

Phone support will be available upon production launch

Security Team

For security concerns and breach reports

Email: security@medisage.app

24/7 emergency contact will be established upon launch

Planned Business Hours

Privacy Office: Monday - Friday, 9:00 AM - 5:00 PM EST (upon launch)

Customer Support: Monday - Sunday, 8:00 AM - 8:00 PM EST (upon launch)

Security Team: 24/7 for emergency issues (upon launch)

Current: Email support available during development phase

HIPAA Notice of Privacy Practices

Important Healthcare Privacy Notice

Table of Contents

Overview

Development Stage Notice

What is Protected Health Information (PHI)?

How This Notice Will Apply

Your Rights

Right to Access PHI

Right to Request Amendment

Right to Accounting of Disclosures

Right to Request Restrictions

Right to Confidential Communications

Right to a Paper Copy of This Notice

Contact Information for HIPAA-Related Requests and Complaints

Privacy Officer

HIPAA Compliance Department

Department of Health and Human Services

⚖️ No Retaliation Policy

Our Responsibilities

Maintain Privacy and Security

Notify You of Breaches

Follow Legal Requirements

Respect Your Choices

Changes to Our Privacy Practices

How We May Use and Disclose Your Health Information

For Treatment

Examples include:

For Payment

Examples include:

For Healthcare Operations

Examples include:

Other Uses and Disclosures

When Authorization is NOT Required

Emergency Situations

Legal Requirements

Public Health

Health and Safety

When Authorization IS Required

Your Right to Revoke Authorization

Security Safeguards

Technical Safeguards (Planned)

Administrative Safeguards

Business Associate Agreement (BAA) Program

✅ HIPAA-Compliant Vendors

⚠️ AI Processing Risk Disclosure

🚀 Startup Compliance Limitations

📈 Our Compliance Roadmap

Physical Safeguards

Compliance Framework

File a Complaint

File a Complaint with Medisage

File a Complaint with HHS

What to Include in Your Complaint

Contact Information

Privacy Officer

Customer Support

Security Team

Planned Business Hours