Genbu Health is committed to maintaining the privacy and security of Protected Health Information (PHI) in full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable California health privacy law. This policy describes our obligations and practices as a HIPAA Business Associate.

1. Our Role Under HIPAA

Genbu Health operates as a Business Associate under HIPAA. We process Protected Health Information (PHI) on behalf of healthcare providers, health plans, and healthcare clearinghouses ("Covered Entities") that are our customers. We do not directly treat patients and are not ourselves a Covered Entity.

Before any PHI is processed through our platform, we execute a Business Associate Agreement (BAA) with each Covered Entity customer. The BAA defines the permitted uses and disclosures of PHI, the obligations of each party, and the procedures for breach notification. Customers may request a BAA by contacting privacy@genbuhealth.com.

2. What Is Protected Health Information

PHI is any individually identifiable health information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. In the context of our platform, PHI includes:

3. Permitted Uses and Disclosures of PHI

We use and disclose PHI only as permitted or required by our BAA with each Covered Entity customer and as allowed under the HIPAA Privacy Rule. Permitted uses include:

We will not use PHI for marketing, advertising, or any purpose not authorized by the applicable BAA and HIPAA.

4. Safeguards We Maintain

We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule to protect electronic PHI (ePHI):

Administrative

  • Designated Privacy and Security Officer
  • Workforce HIPAA training and sanctions policy
  • Risk analysis and risk management program
  • Business associate agreements required with sub-processors before they process PHI
  • Incident response and breach notification procedures
  • Minimum necessary access policies

Technical

  • Encryption of PHI at rest
  • Encryption of data in transit
  • Role-based access control with least privilege
  • Audit logging of PHI access
  • Automatic session timeout and re-authentication
  • PHI redaction from application logs

Physical

  • PHI processed and stored in cloud data centers that maintain SOC 2 Type II and ISO 27001 certifications (Microsoft Azure).
  • Physical access controls at data processing facilities
  • Device encryption for endpoints with PHI access
  • Secure workstation policies for remote access

Organizational

  • FHIR-compliant patient data model
  • Logical separation of customer data
  • Data retention and destruction schedules per HIPAA requirements

5. Breach Notification

In the event of a breach of unsecured PHI, Genbu Health will notify affected Covered Entity customers without unreasonable delay after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Our breach notification will include, to the extent possible:

To report a suspected breach or security incident, contact us immediately at privacy@genbuhealth.com.

6. Patient Rights Under HIPAA

Patients have rights regarding their PHI under HIPAA's Privacy Rule. Because Genbu Health is a Business Associate and not a Covered Entity, patients must generally exercise their HIPAA rights (such as the right to access, amend, or request an accounting of disclosures) through the Covered Entity (their health plan or provider) rather than directly through Genbu Health.

If a patient contacts Genbu Health directly regarding their PHI rights, we will promptly refer them to the appropriate Covered Entity and assist the Covered Entity in fulfilling the request where we are able to do so under our BAA.

7. California Health Privacy Law

In addition to HIPAA, California imposes additional health privacy requirements through the Confidentiality of Medical Information Act (CMIA) and the Patient Access to Health Records Act (PAHRA). Where California law provides greater privacy protections than HIPAA, we comply with the more protective California standard.

California law generally prohibits disclosure of medical information without patient authorization except in specific circumstances. Our platform is designed to operate within these constraints, processing PHI only for the purposes explicitly authorized by the applicable BAA and consistent with the patient's relationship with the Covered Entity.

8. Sub-Processors and Downstream Business Associates

We use third-party service providers (sub-processors) that may process PHI in the course of providing services to us, and PHI is processed only under a HIPAA Business Associate Agreement. Our PHI-processing functions — application and database hosting, speech-to-text transcription, text-to-speech voice generation, AI language model response generation, and telephony — are all provided by Microsoft Azure services operating under Microsoft's HIPAA Business Associate Agreement.

Customers may request our current list of sub-processors by contacting privacy@genbuhealth.com.

9. Data Retention and Destruction

We retain PHI in accordance with applicable law and the terms of each BAA. In general:

10. Training and Workforce

All Genbu Health workforce members who access or may encounter PHI receive HIPAA privacy and security training before accessing PHI, upon material changes to our policies or procedures, and periodically thereafter. We maintain a sanctions policy for workforce members who violate our HIPAA policies and procedures.

11. Contact Our Privacy Officer

HIPAA Privacy Officer

For HIPAA-related inquiries, breach reports, BAA requests, or complaints:

Email: privacy@genbuhealth.com

Mail: Genbu Health, Attn: HIPAA Privacy Officer, 100 N. Barranca St, Unit 7068, West Covina, CA 91791, USA

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/ocr/complaints if you believe your HIPAA rights have been violated. We will not retaliate against any person for filing a complaint.