Skip to content

HIPAA Overview

Introduction

MenoTime by Timeless Biotech is a HIPAA-compliant health technology platform designed to securely handle menopause clinical data. As a platform managing Protected Health Information (PHI), we must adhere to the Health Insurance Portability and Accountability Act (HIPAA) regulations to protect patient privacy and maintain the trust of healthcare providers and patients.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation enacted in 1996 that establishes national standards for protecting patient health information. HIPAA applies to:

  • Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses
  • Business Associates: Organizations that handle PHI on behalf of covered entities (including MenoTime)

HIPAA consists of five main rules: 1. Privacy Rule — Controls use and disclosure of PHI 2. Security Rule — Requires safeguards for electronic PHI (ePHI) 3. Breach Notification Rule — Mandates notification of unauthorized access or disclosure 4. Omnibus Rule — Extends HIPAA obligations to Business Associates 5. Enforcement Rule — Establishes penalties for violations

PHI vs. De-Identified Data

Understanding the distinction between PHI and de-identified data is critical to how MenoTime operates.

Protected Health Information (PHI)

PHI is any health information that can be used to identify an individual. This includes:

  • Direct identifiers: Name, medical record number, health plan ID, email address, phone number, date of birth, social security number
  • Clinical data: Diagnoses, symptoms, lab results, medications, treatment plans
  • Biometric identifiers: Fingerprints, facial recognition data
  • Any combination of data that could reasonably identify a patient

At MenoTime, PHI is handled when: - Healthcare providers submit patient clinical data for analysis - Patient records are created or updated - Treatment recommendations are generated

PHI requires maximum protection under HIPAA's Security Rule (see "HIPAA Security Rule Requirements" below).

De-Identified Data

De-identified data is health information that has been stripped of identifiers so it cannot reasonably identify an individual. De-identified data is not subject to HIPAA regulations and can be used more freely for research, analysis, and product improvement.

MenoTime uses the HIPAA Safe Harbor method (see below) to de-identify provider-submitted clinical data for internal analytics and research purposes.

Safe Harbor De-Identification Method

HIPAA defines two methods for de-identifying health information: Safe Harbor and Expert Determination. MenoTime uses the Safe Harbor method, which requires removing or encrypting 18 specific identifiers:

Identifiers to Remove

  1. Names — Patient names, healthcare provider names, facility names
  2. Geographic subdivisions — City, county, state (except first 3 digits of ZIP code)
  3. Dates — Dates of birth, admission, discharge, death (keep only year for ages 89 and under)
  4. Phone numbers — All phone numbers
  5. Fax numbers — All fax numbers
  6. Email addresses — All email addresses
  7. Social Security numbers — All SSNs
  8. Medical record numbers — All medical record identifiers
  9. Health plan beneficiary numbers — All identifiers relating to health insurance
  10. Account numbers — All financial account numbers
  11. Certificate/license numbers — All professional license numbers
  12. Vehicle identifiers — All vehicle serial numbers, license plate numbers
  13. Device identifiers — All implantable device identifiers
  14. Web URLs — All website URLs
  15. IP addresses — All IP addresses
  16. Biometric identifiers — All biometric identifiers, including fingerprints
  17. Full-face photographs — All photographic images
  18. Any other unique identifier — Any other characteristics that uniquely identify the individual

Safe Harbor Process at MenoTime

  1. Data receipt — Provider submits patient clinical data through secure channels
  2. Identification — System identifies all 18 categories of information
  3. Removal/Encryption — Identifiers are cryptographically removed or hashed
  4. Verification — Automated and manual checks confirm de-identification
  5. Storage — De-identified data stored in separate database with limited access

De-identified data may be used for: - Internal analytics and research - Product improvement and feature development - Quality assurance studies - De-identified research publications

Business Associate Agreement (BAA)

A Business Associate Agreement is a legally binding contract that must be in place before MenoTime handles any PHI on behalf of a healthcare provider or health plan.

BAA Requirements

All MenoTime healthcare provider partners must sign a BAA that specifies:

  • MenoTime's permitted uses and disclosures of PHI
  • MenoTime's obligation to safeguard PHI (aligned with HIPAA Security Rule)
  • Breach notification procedures and timelines
  • Subcontractor requirements (BAA flow-down clauses)
  • Rights to audit and assessment of MenoTime's security
  • Data return and destruction procedures upon contract termination
  • Permitted purposes: storage, processing, and analysis of menopause clinical data

MenoTime's BAA Obligations

As a Business Associate, MenoTime must:

  1. Implement HIPAA Security Rule safeguards (see below)
  2. Maintain audit logs and trails of all PHI access and modifications
  3. Notify providers of breaches within 60 calendar days
  4. Restrict subcontractors — Any vendor accessing PHI must sign a BAA or data processing agreement
  5. Cooperate with provider audits — Provide audit reports and security assessments
  6. Ensure data return/destruction — Upon contract termination, return or destroy all PHI

Action: All healthcare provider partnerships must have an executed BAA on file before any PHI is exchanged.

HIPAA Security Rule Requirements

The HIPAA Security Rule establishes technical and organizational safeguards for electronic PHI (ePHI). It consists of three main categories:

1. Administrative Safeguards

1.1 — Security Management Process - Establish and implement risk assessment and risk management procedures - Identify threats and vulnerabilities to ePHI - Implement controls to reduce risks to acceptable levels

MenoTime Implementation: - Annual security risk assessments conducted by internal security team - Vulnerability scanning with AWS Security Hub and GuardDuty - Threat modeling for new features handling PHI - Security incident response plan (see "Incident Response" documentation)

1.2 — Assigned Security Responsibility - Designate a Privacy Officer and Security Officer

MenoTime Implementation: - Security Officer responsible for HIPAA compliance oversight - Privacy Officer handles data handling inquiries and BAA negotiations - Reporting structure to executive leadership

1.3 — Workforce Security - Implement access controls for all workforce members - Ensure authorization and supervision procedures - Manage workforce member termination and access removal

MenoTime Implementation: - All employees have individual IAM accounts with MFA - Access provisioned based on job function (see "Access Control" documentation) - Offboarding checklist ensures access removal within 24 hours of termination - Quarterly access reviews to ensure least privilege principle

1.4 — Information Access Management - Grant access to ePHI based on role and necessity - Implement user access logs and monitoring

MenoTime Implementation: - IAM policies enforce role-based access control (RBAC) - Developers have DEV environment access only (not PROD) - Database access controlled via IAM database authentication - CloudTrail logs all API calls and access attempts

1.5 — Security Awareness and Training - Train all employees on HIPAA requirements and security best practices - Implement password management, log-in monitoring, and encryption procedures

MenoTime Implementation: - All employees complete HIPAA training during onboarding - Annual HIPAA and security training required for all staff - Regular security awareness communications - Testing and incident simulations to reinforce training

1.6 — Security Incident Procedures - Establish procedures to address security incidents

MenoTime Implementation: - Security incident response plan with defined escalation levels (see "Incident Response") - Breach notification procedures aligned with HIPAA 60-day rule - Root cause analysis and remediation process - Post-incident review to prevent recurrence

1.7 — Contingency Planning - Establish data backup and disaster recovery procedures

MenoTime Implementation: - Daily RDS automated backups retained for 30 days - Cross-region disaster recovery setup in AWS - Quarterly backup restoration testing - RTO/RPO targets: 4 hour RTO, 1 hour RPO

2. Physical Safeguards

2.1 — Facility Access - Control physical access to facilities containing ePHI

MenoTime Implementation: - All infrastructure hosted on AWS (no on-premises ePHI storage) - AWS data centers have physical access controls (badge readers, surveillance) - Employees work remotely; no physical servers in office

2.2 — Workstation Use - Implement policies for appropriate use of workstations

MenoTime Implementation: - All employee laptops encrypted with FileVault (Mac) or BitLocker (Windows) - Screen locks required after 5 minutes of inactivity - VPN required for all remote access - Prohibition on working with ePHI on personal devices

2.3 — Workstation Security - Implement safeguards to prevent unauthorized access

MenoTime Implementation: - Endpoint security software (antivirus/malware detection) on all devices - Monthly security patching for OS and applications - USB port restrictions (no unauthorized removable media)

2.4 — Device and Media Controls - Implement safeguards for disposal of hardware and removable media

MenoTime Implementation: - All decommissioned hardware securely wiped or destroyed - Data destruction certificates required from vendors - No removable media (USB drives, external hard drives) permitted for ePHI

3. Technical Safeguards

3.1 — Access Controls - Implement user authentication and encryption

MenoTime Implementation: - Multi-factor authentication (MFA) required for all IAM users (see "MFA Enforcement") - Strong password policy (see "Password Policy") - Encryption of credentials in Secrets Manager

3.2 — Audit Controls - Implement mechanisms to record and examine activity involving ePHI

MenoTime Implementation: - CloudTrail logs all API calls and modifications - CloudWatch logs application events and errors - RDS audit logging (pgAudit) for database access - 12-month log retention for compliance audits

3.3 — Integrity Controls - Implement mechanisms to protect against unauthorized modification

MenoTime Implementation: - Code reviews required before deployment - Database encryption at rest (AES-256 via KMS) - Data integrity checks on imports and exports - Signed commits in Git repositories

3.4 — Transmission Security - Encrypt data in transit using industry-standard protocols

MenoTime Implementation: - TLS 1.2+ for all HTTP/HTTPS communication - VPN for database connections from application servers - Encrypted SFTP for file transfers with providers - No unencrypted email transmission of PHI

Employee Responsibilities

All MenoTime employees, contractors, and volunteers with access to PHI have specific responsibilities:

1. Protect PHI

  • Never disclose PHI to unauthorized persons
  • Use minimum necessary — Access and use only the PHI required for your job function
  • Report suspicions — Immediately report any suspicious activity or unauthorized access
  • Secure devices — Keep laptops, phones, and USB devices physically secure
  • Lock screens — Always lock your workstation when stepping away

2. Follow Security Policies

  • Comply with password policies (see "Password Policy")
  • Enable and use MFA (see "MFA Enforcement")
  • Use Secrets Manager for all credentials (never hardcode, never share credentials)
  • Encrypt sensitive data (see "Encryption Standards")
  • Follow data classification rules (see "Data Classification")

3. Complete Training

  • HIPAA training — Complete during onboarding and annually
  • Security training — Attend annual security training
  • Incident drills — Participate in security incident simulations

4. Report Incidents

If you suspect a security incident or breach:

  1. Stop the activity immediately
  2. Do not destroy evidence — Do not modify affected systems or logs
  3. Report to Security Officer — Contact security@timelessbiotech.com with details
  4. Escalate if PHI exposed — Contact Privacy Officer if patient data may have been compromised
  5. Do not disclose externally — Let leadership handle external communications

5. Maintain Confidentiality

  • Confidential Information Agreement — All employees sign an NDA
  • No public discussion — Do not discuss PHI or security details on social media, in public, or with unauthorized parties
  • Vendor confidentiality — Ensure vendors and contractors sign appropriate agreements

Compliance and Auditing

MenoTime's HIPAA compliance is an ongoing commitment:

  • Quarterly security reviews — Internal assessment of controls and gaps
  • Annual audit — Third-party security and compliance audit
  • Provider audits — Accommodate customer audits and security assessments
  • Vulnerability assessments — Regular security testing and penetration testing
  • Incident tracking — Maintain log of all security incidents and remediation

Questions? Contact the Security Officer at security@timelessbiotech.com or the Privacy Officer at privacy@timelessbiotech.com.