HIPAA Compliance Notice
How DenaliHealth protects your health information under HIPAA.
Effective: March 5, 2026
Our Commitment
DenaliHealth, operated by Qash Solutions Inc, is committed to protecting the privacy and security of your Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and applicable state privacy laws.
This notice describes how health information about you may be used and disclosed, and how you can access this information.
Protected Health Information (PHI)
When you connect your Medicare account via the official Medicare claims API, we may access the following categories of PHI:
- Patient demographics (age and gender only — we do not store full names, dates of birth, addresses, or Medicare beneficiary IDs)
- Medicare enrollment and coverage details
- Claims and Explanation of Benefits (EOBs)
- Conditions, medications, and screenings (extracted from claims data — lab values are not directly available from Medicare)
This data is accessed only with your explicit authorization through the Medicare OAuth process. You control this connection and can revoke it at any time.
How We Use and Disclose PHI
Permitted Uses
- Treatment support: Providing personalized Medicare coverage guidance, diabetes management coaching, and weight management guidance based on your health records
- Healthcare operations: Improving our service using anonymized, de-identified learning patterns (such as symptom-to-code mappings) that cannot be traced back to any individual. We do not train AI models on your data.
- At your request: Generating appeal letters that reference your specific diagnoses, procedures, and lab results
We Do NOT
- Sell your PHI to any third party
- Use your PHI for marketing purposes
- Share your PHI with employers or insurers
- Disclose your PHI without your consent except as required by law
Safeguards
Technical Safeguards
- AES-256-GCM encryption for all Medicare OAuth tokens at rest
- TLS 1.2+ for all data in transit
- PKCE (Proof Key for Code Exchange) for OAuth authorization to prevent code interception
- Application-level access controls ensuring users can only access their own records through authenticated API routes
- Optional TOTP multi-factor authentication for additional account security
- Automatic token refresh with encrypted storage — we never store your Medicare password
Administrative Safeguards
- Comprehensive audit logging of all PHI access (who, what, when, why, IP address)
- Consent-based access control — health data is only used in AI conversations if you explicitly opt in
- Request purpose tagging on all health data queries (per CMS Interoperability Framework Criterion 22)
- Regular security assessments and vulnerability monitoring
- Incident response procedures for potential breaches
Physical Safeguards
- Infrastructure hosted on AWS (HIPAA-eligible: RDS PostgreSQL, ECS/Fargate, Bedrock) — Business Associate Agreement executed February 25, 2026
- No PHI stored on local devices — all data resides in encrypted cloud databases
- Geographic access controls and network-level security
Your Rights Under HIPAA
As a patient, you have the right to:
- Access your PHI: View all health data we hold about you through the Health page and Settings
- Request amendments: Ask us to correct inaccurate health information
- Request restrictions: Limit how your PHI is used via consent toggles in Settings > Privacy & Data
- Accounting of disclosures: Request a record of when and why your PHI was accessed (audit logs)
- Revoke authorization: Disconnect your Medicare account at any time to stop all PHI access
- File a complaint: If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights
Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days of discovery, as required by the HITECH Act. Notification will include:
- A description of the breach and the data involved
- Steps we have taken to investigate and mitigate the breach
- Steps you can take to protect yourself from potential harm
- Contact information for further questions
Breaches affecting 500 or more individuals will also be reported to the FTC and HHS as required by law, and where required, to the media.
As a personal health record vendor, we also comply with the FTC Health Breach Notification Rule (16 CFR Part 318), which requires notification to affected individuals and, for breaches affecting 500 or more individuals, notification to the FTC.
Incident Response Plan
Our incident response procedures follow the NIST SP 800-61 (Computer Security Incident Handling Guide) framework, adapted for healthcare data. The plan covers five phases:
1. Detection and Identification
- Automated monitoring of authentication failures, unusual data access patterns, and unauthorized API calls via audit logging
- Database-level alerts for bulk data exports, privilege escalation, and access control bypass attempts
- User-reported incidents via admin@denali.health or in-app reporting
2. Containment
- Immediate revocation of compromised credentials and OAuth tokens
- Isolation of affected systems and suspension of impacted user sessions
- Preservation of audit logs and system state for forensic analysis
3. Investigation
- Review of audit logs to determine scope of unauthorized access (who, what, when, from where)
- Assessment of whether PHI was accessed, exfiltrated, or modified
- Engagement of third-party forensic specialists if warranted
4. Notification
- Affected individuals notified within 60 days of discovery via email, as required by the HITECH Act
- HHS Office for Civil Rights notified for breaches affecting 500 or more individuals
- FTC notified per the Health Breach Notification Rule (16 CFR Part 318) where applicable
- Notification includes: description of the incident, types of data involved, steps taken, and recommended user actions
5. Post-Incident Review
- Root cause analysis and documentation of lessons learned
- Updates to security controls, monitoring rules, and incident response procedures based on findings
- Review of Business Associate compliance for any third-party involvement
Business Associates
We work with the following service providers who may process health data on our behalf. We require Business Associate Agreements (BAAs) with all service providers who process protected health information.
- AWS (Amazon Web Services): Database (RDS PostgreSQL), application hosting (ECS/Fargate), and AI processing (Bedrock — runs Claude; health data only sent when user consents to Health Data in AI). AWS is HIPAA-eligible. Our BAA with AWS was executed on February 25, 2026. AWS Bedrock does not store or log prompts and completions by default and does not train models on your data.
- Stripe: Payment processing only — does not process or store any health information. PCI DSS certified.
- Resend: Email delivery for authentication codes and account communications — receives only email addresses. Does not process or store any health information. SOC 2 Type II certified.
All providers handling protected health information operate under a fully executed Business Associate Agreement. Our AWS BAA covers all services that may come into contact with PHI (database, hosting, and AI processing).
Minimum Necessary Standard
We apply the HIPAA Minimum Necessary standard to all PHI access:
- Medicare API requests are scoped to specific FHIR resource types (Patient, Coverage, ExplanationOfBenefit)
- AI context injection includes only clinically relevant information (not raw FHIR bundles)
- Cached health data has a 24-hour TTL — data is refreshed on access and deleted immediately on disconnect or account deletion
- Consent preferences gate which categories of data reach the AI
PHI Retention and Disposal
- Cached health data: 24-hour TTL, refreshed on access, deleted on disconnect or account deletion
- OAuth tokens: Encrypted at rest, deleted on disconnect or account deletion
- Audit logs: Retained for minimum 6 years per HIPAA requirements
- Conversations mentioning health data: Deleted on account deletion
- Anonymized learning data: Retained indefinitely (contains no PHI or PII)
Upon account deletion, all PHI is permanently and irreversibly removed from our systems through a cascading deletion process — except audit logs, which are subject to a minimum 6-year HIPAA retention requirement that applies even after account deletion.
Policy Change Notification
We will notify registered users via email at least 30 days before material changes to this HIPAA Compliance Notice take effect. Notifications will include a summary of what changed and why.
If changes are driven by CMS regulatory updates or modifications to the CMS Interoperability Framework, we will specifically identify those changes and explain how they affect your Medicare data handling.
If you disagree with the changes, you may delete your account and all associated data before the effective date (Settings > Danger Zone). Continued use of the Service after the effective date constitutes acceptance of the updated notice.
Privacy Officer Contact
For questions about our HIPAA practices, to exercise your rights, or to file a complaint:
- Email: admin@denali.health
- Organization: Qash Solutions Inc, HIPAA Privacy Officer
You may also file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr/complaints. We will not retaliate against you for filing a complaint.
