Skip to main content

HIPAA Compliance

Our commitment to protecting patient health information

Our Commitment to HIPAA

SleepDx is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). As a business associate of healthcare providers, we take our responsibility to protect patient health information seriously.

Administrative Safeguards

We have implemented comprehensive administrative safeguards including:

  • Designated Privacy and Security Officers
  • Comprehensive workforce training on HIPAA requirements
  • Documented policies and procedures for PHI handling
  • Regular risk assessments and security audits
  • Incident response and breach notification procedures
  • Sanction policy for workforce members who violate HIPAA

Physical Safeguards

Our physical security measures include:

  • Secure, access-controlled data center facilities (Microsoft Azure)
  • Environmental controls (fire suppression, climate control)
  • Physical access logs and monitoring
  • Workstation security policies
  • Device and media controls for equipment containing PHI

Technical Safeguards

We employ robust technical safeguards to protect electronic PHI:

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access control (RBAC) limiting access to minimum necessary
  • Authentication: Multi-factor authentication for platform access
  • Audit Controls: Comprehensive logging of all system access and PHI interactions
  • Integrity Controls: Mechanisms to ensure PHI is not improperly altered or destroyed
  • Transmission Security: All data transmitted over encrypted channels

Business Associate Agreements

We maintain Business Associate Agreements (BAAs) with all parties who may access or handle PHI on our behalf:

  • EnsoData: AI sleep study scoring
  • Impilo Health: Device fulfillment and logistics
  • Microsoft Azure: Cloud infrastructure and hosting
  • Interpreting Physicians: Board-certified sleep specialists

We also enter into BAAs with all healthcare provider customers who use our platform.

Patient Rights

We support healthcare providers in fulfilling patient rights under HIPAA:

  • Right to Access: Patients can request copies of their health records
  • Right to Amend: Patients can request corrections to their records
  • Right to an Accounting: Patients can request a record of disclosures
  • Right to Restrict: Patients can request restrictions on uses and disclosures
  • Right to Confidential Communications: Patients can request alternative communication methods

Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities within 60 days of discovery, as required by HIPAA. We maintain incident response procedures to quickly identify, contain, and remediate any potential breaches.

Minimum Necessary Standard

We apply the minimum necessary standard to all uses, disclosures, and requests for PHI. Access to patient information is limited to only what is necessary to accomplish the intended purpose.

Infrastructure Security

Our platform is built on Microsoft Azure's healthcare-compliant cloud infrastructure:

SOC 2 Type II
Annual audit certification
HIPAA/HITECH
BAA with Microsoft Azure
ISO 27001
Information security management
FedRAMP
Federal security authorization

Contact Our Privacy Officer

For questions about our HIPAA compliance practices or to report a concern:

SleepDx Privacy Officer

Email: privacy@sleepdx.health

All privacy concerns are treated confidentially and investigated promptly.