HIPAA and Protected Health Information
This page explains how HIPAA may relate to your use of Reteno, when it can apply to your app, and what data should not be sent to the platform.
What HIPAA Covers
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a US federal law that protects certain health information. It applies to healthcare organizations such as health plans and healthcare providers ā known as covered entities ā and to vendors that handle protected health information on their behalf.
Protected health information, or PHI, is individually identifiable health information connected to a personās health status, healthcare, or payment for healthcare. This can include diagnoses, test results, treatment details, insurance information, and identifiers connected to a health context.
A useful distinction for app teams: HIPAA applies only when a covered-entity or related regulated relationship exists. Many consumer health, wellness, and fitness apps are not covered entities, and the data they collect may not be PHI under HIPAA. If you are unsure whether HIPAA applies to your organization or app, confirm with your legal or compliance team.
How Reteno Protects Customer Data
Reteno protects customer data through a structured security and privacy program that includes:
- ISO/IEC 27001:2022 ā Reteno operates an information security management system certified to ISO/IEC 27001:2022. See Information Security and ISO/IEC 27001.
- Security and privacy control review ā Reteno has reviewed relevant security and privacy controls with HIPAA Security and Privacy Rule considerations in mind.
- GDPR ā Reteno supports GDPR compliance through a Data Processing Agreement and Privacy Policy. See GDPR Overview.
What This Means for You
If your organization is subject to HIPAA and handles PHI, do not send PHI to Reteno.
Keep PHI within your HIPAA-covered systems and use Reteno only for non-health, non-identifying engagement data. Do not send PHI to Reteno through any platform feature, message, event, integration, webhook, import, or API request.
Examples of data that should not be sent to Reteno include diagnoses, treatment details, lab results, prescriptions, insurance information, medical record numbers, or any other information that identifies a person in a health context.
Questions
For questions about data protection at Reteno, contact the Data Protection Officer at [email protected].
Disclaimer
This page is provided for general informational purposes only and is not legal advice. Determining whether HIPAA applies to your organization, app, or use case is your responsibility. Consult your legal and compliance advisors before processing regulated health information.
