← Back to Login
Privacy Policy & HIPAA Notice
Last updated: March 27, 2026
Health Agent ("we," "our," "the Service") is committed to protecting your privacy and complying with the Health Insurance Portability and Accountability Act (HIPAA). This policy explains how we collect, use, protect, and share your information.
1. Information We Collect
Account Information
- Name, email address, password (encrypted)
- Biometric login data (stored on your device only, never on our servers)
Patient Health Information (PHI)
- Patient names, dates of birth, addresses, phone numbers
- Medical conditions, medications, allergies, lab results
- Insurance information (carrier, member ID, plan details)
- Doctor and pharmacy information
- Uploaded medical documents (prescriptions, lab results, insurance cards, COAs)
- Chat messages regarding health concerns
Usage Data
- Login timestamps, IP addresses (for security and audit)
- Feature usage patterns (anonymized)
2. How We Use Your Information
- Healthcare navigation: Organizing medical records, tracking medications, coordinating appointments
- AI-assisted analysis: Analyzing documents, providing health information, generating action plans
- Communication: Sending emails and facilitating phone calls to providers on your behalf
- Account management: Authentication, notifications, customer support
- Compliance: HIPAA audit logging, breach detection, security monitoring
HIPAA Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information.
PHI De-identification
When your messages are processed by our AI system, all 18 HIPAA Safe Harbor identifiers are removed before data leaves our servers. The AI service receives only de-identified clinical information (symptoms, medications, conditions). Your identity is never exposed to third-party AI processors.
Permitted Uses of PHI
- Treatment: Coordinating your healthcare, tracking medications, preparing for appointments
- Healthcare Operations: Quality improvement, audit compliance, service optimization
- With Your Authorization: Sharing information with providers, pharmacies, or insurance companies as you direct
Your Rights Under HIPAA
- Right to Access: You may request a copy of all your health information at any time
- Right to Amend: You may request corrections to your health information
- Right to an Accounting of Disclosures: You may request a list of when and to whom your information was shared
- Right to Restrict: You may request restrictions on how your information is used
- Right to Delete: You may request deletion of your health information, subject to legal retention requirements
- Right to Breach Notification: You will be notified within 60 days if your information is compromised
To exercise any of these rights, contact us at privacy@healthagent.app
3. How We Protect Your Data
| Safeguard | Implementation |
|---|
| Encryption in Transit | TLS 1.3 on all connections |
| Encryption at Rest | AES-256 encryption for stored health data |
| PHI De-identification | HIPAA Safe Harbor method before AI processing |
| Access Controls | Authentication required, session management |
| Audit Logging | All PHI access logged with timestamps, user IDs, IP addresses |
| Breach Detection | Automated monitoring for unusual access patterns |
| Consent Tracking | Documented patient authorization for data access |
| Cloud Infrastructure | Google Cloud with signed HIPAA Business Associate Agreement |
4. Third-Party Data Processors
| Service | Purpose | PHI Exposure |
|---|
| Google Cloud | Hosting, storage | Encrypted at rest (BAA signed) |
| Anthropic (Claude AI) | AI processing | De-identified only — no PHI transmitted |
| Google Calendar | Appointment scheduling | Appointment titles/dates only (with user consent) |
| Resend | Email delivery | Recipient email addresses only |
| VAPI | Phone call facilitation | Phone numbers and call context |
5. Data Retention
- Active accounts: Data retained while account is active
- Deleted accounts: Data permanently deleted within 30 days of account deletion
- Audit logs: Retained for 6 years as required by HIPAA
- Backup data: Removed from backups within 90 days of deletion
6. Data Sharing
We never sell your personal or health information. We share data only:
- With third-party processors listed above (under strict contracts)
- With healthcare providers, pharmacies, or insurers at your explicit direction
- When required by law (court order, subpoena)
- To prevent imminent harm (e.g., if you report a medical emergency)
7. Children's Privacy
Health Agent is not intended for use by individuals under 18. Caregivers may add minor patients under their legal care.
8. California Residents (CCPA)
California residents have additional rights including the right to know what data is collected, the right to delete, and the right to opt out of data sales. We do not sell personal information.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email. Continued use after changes constitutes acceptance.
10. Contact Us
For privacy questions, HIPAA requests, or to exercise your data rights: