Legal

HIPAA Privacy & Security Statement

The Headache Vault, LLC operates as a HIPAA Business Associate. We process Protected Health Information (PHI) on behalf of healthcare providers (Covered Entities) who use our platform. This statement describes how we handle PHI, the safeguards we maintain, and your rights in relation to health information processed through our Services.

1. Our Role Under HIPAA

The Headache Vault is a Business Associate, not a Covered Entity. We do not provide healthcare services directly. We create, receive, maintain, and transmit PHI on behalf of provider customers — including patient check-in data, medication records, functional impact scores, disability assessments, and prior authorization documentation.

We enter into Business Associate Agreements (BAAs) with all provider customers before any PHI is transmitted through our platform.

2. What PHI We Handle

Through the platform, we process the following categories of PHI on behalf of provider customers:

• Patient identity information (name, date of birth, contact information)
• Headache disorder diagnosis and condition history
• Daily functional impact scores and symptom entries
• Medication history (current medications, failed trials, acute use)
• Disability assessment scores (MIDAS, HIT-6)
• Prior authorization documentation and payer correspondence
• Visit Ready Reports and clinical summaries
• AI Partner narrative records (patient-contributed clinical context)

We do not process financial account numbers, Social Security numbers, or payment card information through the clinical platform.

3. How We Use PHI

We use PHI solely to perform services on behalf of provider customers, as described in our Business Associate Agreements. Permitted uses include:

• Providing the platform's clinical features (check-ins, reports, PA generation) to enrolled providers and patients
• Performing system operations, maintenance, and security functions
• As required by law

We do not use PHI for marketing purposes, advertising, or any purpose not authorized by the applicable BAA and HIPAA regulations.

4. Technical Safeguards

We implement the following technical safeguards for PHI:

Storage

Patient and provider data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure with AES-256 encryption at rest.

Transmission

All data in transit is encrypted via TLS 1.2 or higher. No PHI is transmitted over unencrypted channels.

Access controls

Role-based access controls and row-level security policies ensure providers can only access data for their own patients. Patients control what data is shared with their providers.

Authentication

Provider and patient accounts use Supabase Auth with support for multi-factor authentication.

Audit logging

Access to PHI is logged. Patient state transitions and provider actions are recorded in audit tables.

AI processing

Clinical note parsing uses the Anthropic API (Claude). Anthropic has executed a Business Associate Agreement with The Headache Vault, LLC covering this processing.

Voice transcription

Voice input is processed entirely in the browser using the Web Speech API. No audio is transmitted to our servers or any third party. Only the text transcript is sent for clinical parsing.

5. Business Associate Agreements with Subcontractors

As required by HIPAA, we have executed or are in the process of executing BAAs with all subcontractors who may access PHI:

Twilio (SMS)

Twilio does not receive PHI. SMS payloads contain only generic reminder text with no patient-identifiable information or health data, and no Twilio BAA is required.

Resend (transactional email)

Resend sends enrollment invitations and check-in reminders. These emails contain minimal PHI (patient name in enrollment context). A BAA with Resend will be evaluated prior to pilot launch.

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected Covered Entity customers without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Notification will include:

• The nature of the PHI involved
• The unauthorized persons who used or may have accessed the PHI
• Whether the PHI was actually acquired or viewed
• The extent to which the risk has been mitigated
• The steps individuals should take to protect themselves

To report a suspected breach or security concern: alex@headachevault.com

7. Patient Rights

Patients whose PHI is processed through our platform should direct requests regarding their health information (access, amendment, accounting of disclosures, restrictions) to their healthcare provider (the Covered Entity), not to The Headache Vault directly. We will cooperate with provider customers to support patient rights requests as required by our BAAs.

Patients have direct control over their Vault records through the patient application, including the ability to view their data, revoke provider access, and export their records.

8. Retention and Destruction

PHI is retained for the duration of the provider customer relationship plus the period required by applicable law or the BAA terms. Upon termination of a BAA, we will return or destroy PHI as directed by the Covered Entity, unless retention is required by law.

9. Contact and Complaints

Privacy Officer: Alex Doty
The Headache Vault, LLC
Email: alex@headachevault.com

Individuals who believe their privacy rights have been violated may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy/hipaa/complaints.

This document is a draft pending attorney review. Not legal advice.