HIPAA Policy — Genbu Health

      Genbu Health is committed to maintaining the privacy and security of Protected Health Information (PHI) in full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable California health privacy law. This policy describes our obligations and practices as a HIPAA Business Associate.
    

1. Our Role Under HIPAA

Genbu Health operates as a Business Associate under HIPAA. We process Protected Health Information (PHI) on behalf of healthcare providers, health plans, and healthcare clearinghouses ("Covered Entities") that are our customers. We do not directly treat patients and are not ourselves a Covered Entity.

Before any PHI is processed through our platform, we execute a Business Associate Agreement (BAA) with each Covered Entity customer. The BAA defines the permitted uses and disclosures of PHI, the obligations of each party, and the procedures for breach notification. Customers may request a BAA by contacting privacy@genbuhealth.com.

2. What Is Protected Health Information

PHI is any individually identifiable health information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. In the context of our platform, PHI includes:

Patient names, dates of birth, and contact information
Health plan member identifiers and insurance information
Information about healthcare screenings, appointments, and care goals
Voice audio recordings of patient outreach calls
Call transcripts containing patient-disclosed health information
Medical record numbers and other patient identifiers

3. Permitted Uses and Disclosures of PHI

We use and disclose PHI only as permitted or required by our BAA with each Covered Entity customer and as allowed under the HIPAA Privacy Rule. Permitted uses include:

Providing patient outreach, scheduling coordination, and follow-up services on behalf of the Covered Entity
Operations necessary to fulfill our services (speech-to-text transcription, AI response generation, text-to-speech synthesis)
Healthcare operations as defined by HIPAA and authorized by the applicable BAA
As required by law, including disclosures to government authorities for public health activities, law enforcement, or judicial proceedings

We will not use PHI for marketing, advertising, or any purpose not authorized by the applicable BAA and HIPAA.

4. Safeguards We Maintain

We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule to protect electronic PHI (ePHI):

Administrative

Designated Privacy and Security Officer
Workforce HIPAA training and sanctions policy
Risk analysis and risk management program
Business associate agreements with all sub-processors
Incident response and breach notification procedures
Minimum necessary access policies

Technical

AES-256 field-level encryption of PHI at rest
TLS 1.3 encryption for all data in transit
Role-based access control with least privilege
Comprehensive audit logging of all PHI access
Automatic session timeout and re-authentication
PHI redaction from application logs

Physical

PHI processed and stored in SOC 2 Type II certified data centers
Physical access controls at all data processing facilities
Device encryption for all endpoints with PHI access
Secure workstation policies for remote access

Organizational

FHIR-compliant patient data model
Separate data environments per customer organization
Data retention and destruction schedules per HIPAA requirements
Subcontractor BAAs with all vendors processing ePHI

5. Breach Notification

In the event of a breach of unsecured PHI, Genbu Health will notify affected Covered Entity customers without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Our breach notification will include, to the extent possible:

A description of the nature of the breach, including the types of PHI involved
The identity of individuals whose PHI was involved, if known
The steps Covered Entity customers should take to protect themselves from potential harm
What Genbu Health is doing to investigate, mitigate, and prevent future breaches
Contact information for Genbu Health's Privacy Officer

To report a suspected breach or security incident, contact us immediately at privacy@genbuhealth.com.

6. Patient Rights Under HIPAA

Patients have rights regarding their PHI under HIPAA's Privacy Rule. Because Genbu Health is a Business Associate and not a Covered Entity, patients must generally exercise their HIPAA rights (such as the right to access, amend, or request an accounting of disclosures) through the Covered Entity (their health plan or provider) rather than directly through Genbu Health.

If a patient contacts Genbu Health directly regarding their PHI rights, we will promptly refer them to the appropriate Covered Entity and assist the Covered Entity in fulfilling the request where we are able to do so under our BAA.

7. California Health Privacy Law

In addition to HIPAA, California imposes additional health privacy requirements through the Confidentiality of Medical Information Act (CMIA) and the Patient Access to Health Records Act (PAHRA). Where California law provides greater privacy protections than HIPAA, we comply with the more protective California standard.

California law generally prohibits disclosure of medical information without patient authorization except in specific circumstances. Our platform is designed to operate within these constraints, processing PHI only for the purposes explicitly authorized by the applicable BAA and consistent with the patient's relationship with the Covered Entity.

8. Sub-Processors and Downstream Business Associates

We use third-party service providers (sub-processors) that may have access to PHI in the course of providing services to us. All sub-processors who access PHI are required to enter into a BAA with Genbu Health that imposes HIPAA-equivalent obligations on them. Key categories of sub-processors include:

Cloud infrastructure providers hosting our application and databases
Speech recognition (ASR) services used for real-time patient call transcription
Text-to-speech (TTS) services used for AI voice generation
AI language model providers used for conversational response generation
Telephony providers used to place and receive calls

Customers may request our current list of sub-processors by contacting privacy@genbuhealth.com.

9. Data Retention and Destruction

We retain PHI in accordance with applicable law and the terms of each BAA. In general:

Call recordings and transcripts containing PHI are retained for the period specified in the BAA, typically 6 years from the date of creation or the date when it last was in effect, whichever is later, consistent with HIPAA's documentation requirements
Upon termination of a BAA, PHI is returned to the Covered Entity or securely destroyed within 60 days, consistent with HIPAA requirements and the terms of the applicable BAA
Destruction of PHI is performed using NIST-approved methods and is documented in our audit records

10. Training and Workforce

All Genbu Health workforce members who access or may encounter PHI receive HIPAA privacy and security training before accessing PHI and receive updated training at least annually. We maintain a sanctions policy for workforce members who violate our HIPAA policies and procedures.

11. Contact Our Privacy Officer

HIPAA Privacy Officer

For HIPAA-related inquiries, breach reports, BAA requests, or complaints:

Email: privacy@genbuhealth.com

Mail: Genbu Health, Attn: HIPAA Privacy Officer, 100 N. Barranca St, Unit 7068, West Covina, CA 91791, USA

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/ocr/complaints if you believe your HIPAA rights have been violated. We will not retaliate against any person for filing a complaint.