About this notice
This HIPAA Notice explains how Rymeda, Inc. ("Rymeda", "we", "us") relates to HIPAA, the federal law that protects certain health information held by hospitals, clinics, health plans, and the companies that serve them. We want to be honest and precise here, because HIPAA is often misunderstood and over-claimed by consumer apps.
For most consumer use of Rymeda, the document that governs your information is our Privacy Policy, not HIPAA. This notice exists to explain the difference clearly.
Rymeda's HIPAA posture
Rymeda is a technology company. We build a social health platform that includes the Rymeda Community, Care Portal, and ORIS. Rymeda is not a healthcare provider, a clinic, a hospital, a pharmacy, a health plan, or a healthcare clearinghouse.
For most consumer use of Rymeda, Rymeda is generally not a HIPAA "covered entity," and the information you enter is generally not regulated by HIPAA. When you join the Rymeda Community, chat with ORIS, or keep notes in your own Care Portal, you are entering your own information into a consumer product. That information is treated as personal user content under our Privacy Policy and under applicable consumer health-data privacy laws, not as HIPAA-protected health information.
However, Rymeda may act as a HIPAA "Business Associate" in specific situations. If a provider or healthcare organization that is a HIPAA covered entity uses Rymeda to handle Protected Health Information on its behalf, Rymeda enters into a Business Associate Agreement (a "BAA") with that organization. In those situations, HIPAA does apply to the Protected Health Information that Rymeda handles for that organization, and Rymeda follows the obligations a Business Associate has under HIPAA and under the BAA.
What PHI is
"Protected Health Information," or PHI, is a specific legal term under HIPAA. In plain language, PHI is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity (or a Business Associate acting for one) in connection with treatment, payment, or healthcare operations. It includes information that identifies a person, or could reasonably be used to identify them, and that relates to their physical or mental health, the healthcare they receive, or payment for that care.
The key point is the source and the relationship. Health information becomes PHI under HIPAA when it flows through the regulated healthcare system, for example from your doctor's office or your health plan. The same kind of information that you type into a consumer app yourself is generally not PHI under HIPAA, even though it is still personal and sensitive, and we still protect it.
When HIPAA applies vs. when it does not
To make this concrete:
- Consumer use of Rymeda. HIPAA generally does not apply. Your community posts and comments, your conversations with ORIS, and the medications, vitals, Rymeda Medical Card, and other notes you keep in your own Care Portal are information you choose to enter into a consumer product. This information is governed by our Privacy Policy and by consumer health-data privacy laws that may apply where you live, not by HIPAA.
- Provider or organization use under a BAA. HIPAA can apply. If a covered entity such as a hospital, clinic, or health plan uses Rymeda to create, receive, store, or transmit PHI on its behalf, Rymeda acts as that organization's Business Associate under a signed BAA, and HIPAA applies to that PHI.
During the private beta, Rymeda's consumer features are the primary experience, so for most beta users HIPAA does not apply and the Privacy Policy is the governing document.
When Rymeda acts as a Business Associate
Where Rymeda handles PHI on behalf of a covered entity under a BAA, Rymeda commits to the obligations of a Business Associate under HIPAA, including:
- Using and disclosing the PHI only as permitted by the BAA and by law.
- Applying appropriate administrative, physical, and technical safeguards to protect the PHI.
- Reporting to the covered entity any use or disclosure not permitted by the BAA, and any security incident or breach of unsecured PHI, as required by law.
- Ensuring that any subcontractors that handle PHI on Rymeda's behalf agree to the same restrictions and conditions.
- Making PHI available to support the covered entity's obligations regarding individuals' rights of access and amendment, where applicable.
- Returning or destroying PHI when the BAA ends, where feasible.
Safeguards we use
Regardless of whether HIPAA applies, Rymeda applies meaningful safeguards to the health-related information it holds. These include:
- Encryption in transit. Traffic between the app, the website, and our backend is encrypted using TLS.
- Encryption at rest. Stored data is encrypted at rest in our cloud infrastructure.
- Access controls. Access to production data is limited to a small number of authorized engineers, with role-based controls.
- Audit logging. Access to sensitive data is logged so that we can review who accessed what and when.
- BAA-gated AI processing. Where AI processing involves PHI, that processing runs only with an AI provider that is under a Business Associate Agreement. For general consumer ORIS use, we send only the content needed to generate a response and avoid sending identifiers where we can.
No system is perfectly secure, and Rymeda cannot guarantee absolute security. Rymeda has not completed a SOC 2 audit and has not been certified as HIPAA compliant during this beta. If a security incident affects your information, we will notify you as required by applicable law.
Your rights
For consumer information governed by our Privacy Policy, you have rights to access, correct, delete, and export your information, and to withdraw consent where we rely on it. See the Privacy Policy for details, and our data deletion page for how to delete your account and data.
For PHI that Rymeda handles as a Business Associate on behalf of a covered entity, your HIPAA rights, including the right to access and request amendment of your records, are exercised through that covered entity, which is the organization responsible for your PHI under HIPAA. If you are not sure which applies to you, email us and we will help direct your request.
If you are outside the United States
HIPAA is a United States law. It does not govern people who use Rymeda from outside the United States. This notice explains HIPAA because Rymeda is a US company, but the protections that apply to your health information depend on where you live.
Rymeda is not currently offered in the European Economic Area (EEA), the United Kingdom, or Switzerland. If we launch in those regions in the future, health information will be treated as "special category" personal data under the General Data Protection Regulation (GDPR) and the UK GDPR, and will be governed by our Privacy Policy and our International Privacy Notice, not by HIPAA.
If you are anywhere else in the world, your health information is covered by the consumer-health-data and privacy laws that apply where you live, as described in our Privacy Policy.
This notice is informational
This notice is provided for information only. It is not a legal HIPAA Notice of Privacy Practices, and it does not create rights that you would not otherwise have under law. For consumer use of Rymeda, our Privacy Policy is the governing document for your data. Where HIPAA applies because Rymeda is acting as a Business Associate, the relevant Business Associate Agreement and HIPAA govern.
Contact
For questions about this notice or about how Rymeda handles health information, email privacy@rymeda.com. You can also visit our contact page.
