HIPAA Compliance Statement

1. We Are Not a HIPAA-Covered Entity

AlgoGenics is not a "covered entity" or "business associate" as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164).

Our platform is designed and intended for research, academic, and non-clinical purposes only. We do not provide medical services, maintain protected health information (PHI) on behalf of covered entities, or act as a business associate to any healthcare provider, health plan, or healthcare clearinghouse.

2. No HIPAA Obligations Apply

Because we are not a covered entity or business associate, the HIPAA Privacy, Security, and Breach Notification Rules do not directly apply to the data you upload or the analyses we perform. We do not enter into Business Associate Agreements (BAAs) and are not required to do so.

3. Our Commitment to Data Protection

Even though HIPAA does not legally apply, we recognize the sensitivity of genomic, health-related, and personal data. We voluntarily implement robust security and privacy safeguards consistent with industry best practices and aligned with the spirit of HIPAA's Security Rule.

• Data Encryption: All data is encrypted in transit using TLS 1.3+ and at rest using AES-256 where technically feasible.
• Access Controls: Strict role-based access control (RBAC). Only a limited number of authorized personnel — and, when necessary, reviewing specialists bound by strict confidentiality agreements — can access case data.
• Minimum Necessary: We collect and retain only the data required to deliver the Services you request.
• Confidentiality Obligations: All team members and any external specialists with access to data sign strict confidentiality and non-disclosure agreements.
• Security Practices: Regular vulnerability scanning, penetration testing, secure cloud hosting (SOC 2-aligned providers), comprehensive logging and monitoring, and documented incident response procedures.
• Data Retention & Deletion: We retain data only as long as necessary to provide the Services or comply with legal obligations. You may request deletion of your account and associated data at any time (subject to legal retention requirements).

These measures are designed to protect the confidentiality, integrity, and availability of your data to the highest standard reasonably practicable for a non-HIPAA-covered research platform.