BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
HIPAA

Privacy, Use, and Disclosure Policy

Effective: March 17, 2026

1. Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, establishes national standards for the protection of individually identifiable health information. The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) sets standards for how protected health information (PHI) may be used and disclosed by covered entities and their business associates.

As a Business Associate that processes, transmits, and maintains PHI through its fully homomorphic encryption (FHE) platform, H33.ai, Inc. (“H33”) is committed to ensuring that all uses and disclosures of PHI comply with HIPAA requirements and the terms of applicable Business Associate Agreements (BAAs).

2. Purpose

This policy defines H33’s responsibilities for safeguarding PHI that is transmitted, received, created, or maintained by H33 on behalf of its covered entity customers. It establishes the rules, procedures, and organizational safeguards that govern the permissible uses and disclosures of PHI, the rights of individuals with respect to their PHI, and the administrative requirements for HIPAA Privacy Rule compliance.

3. Definitions

Term Definition
Business Associate A person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity. H33 operates as a Business Associate to its covered entity customers.
De-identified Information Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identification may be achieved through the Expert Determination method (§164.514(b)(1)) or the Safe Harbor method (§164.514(b)(2)).
Designated Record Set A group of records maintained by or for a covered entity or business associate that includes medical records, billing records, enrollment/payment/claims/adjudication records, or any other records used in whole or in part to make decisions about individuals.
Disclosure The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Health Care Operations Certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment, as defined in 45 CFR §164.501.
Payment Various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, fulfill coverage responsibilities, and provide benefits under the plan, as defined in 45 CFR §164.501.
Protected Health Information (PHI) Individually identifiable health information that is transmitted or maintained in any form or medium, excluding certain educational records covered by FERPA and employment records held by a covered entity in its role as employer.
Use The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information.

4. Scope

This policy applies to H33 in its capacity as a Business Associate with respect to all PHI that H33 creates, receives, maintains, or transmits on behalf of its covered entity customers. This includes PHI processed through H33’s FHE encryption pipelines (H33-Vault, H33-Share), biometric authentication data encrypted under BFV/CKKS schemes, and any PHI stored in H33’s infrastructure (AWS RDS, ElastiCache, S3) or transmitted through H33’s APIs.

This policy applies to all H33 workforce members, including employees, contractors, consultants, temporary workers, and any individual with access to H33 systems that may contain PHI.

5. Roles and Responsibilities

5.1 Privacy Official

H33 designates a Privacy Official who is responsible for the development and implementation of privacy policies and procedures, as required by 45 CFR §164.530(a)(1). The Privacy Official’s responsibilities include:

  • Developing, implementing, and maintaining all HIPAA privacy policies and procedures
  • Receiving and processing complaints related to H33’s privacy practices
  • Monitoring compliance of Business Associates with applicable BAA terms
  • Coordinating with the HIPAA Security Officer on matters involving both privacy and security
  • Serving as the point of contact for individuals exercising their HIPAA privacy rights
  • Providing privacy training to all workforce members
  • Maintaining records of all privacy-related activities, complaints, and dispositions

5.2 Documentation Requirements

All privacy policies, procedures, and related documentation shall be maintained for a minimum of six (6) years from the date of creation or the date when the document was last in effect, whichever is later, per 45 CFR §164.530(j). Documentation shall be updated promptly in response to changes in HIPAA regulations, HHS guidance, or organizational practices.

6. Training

All H33 workforce members shall receive training on this policy and related privacy procedures, as required by 45 CFR §164.530(b). Training requirements include:

  • Initial Training: All new workforce members must complete privacy training within thirty (30) days of their start date, prior to being granted access to any systems that may contain PHI
  • Annual Refresher Training: All workforce members must complete annual privacy awareness training covering current policies, recent regulatory changes, and lessons learned from any privacy incidents
  • Role-Specific Training: Workforce members with direct access to PHI or PHI-handling systems receive additional training on applicable procedures, minimum necessary requirements, and incident reporting obligations
  • Change-Triggered Training: When material changes are made to privacy policies or procedures, affected workforce members must be retrained within a reasonable time period

Training completion records are maintained as documented information for the retention period specified in Section 5.2.

7. Safeguards

H33 implements appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure that violates HIPAA requirements, as required by 45 CFR §164.530(c).

7.1 Administrative Safeguards

  • Designation of a Privacy Official and a HIPAA Security Officer
  • Workforce training and awareness programs
  • Policies and procedures governing the use and disclosure of PHI
  • Sanction policies for violations of privacy policies
  • Complaint procedures for individuals to report privacy concerns
  • Regular risk assessments and compliance audits
  • Business Associate Agreement management and monitoring

7.2 Technical Safeguards

  • Encryption: All PHI is encrypted at rest and in transit using industry-standard encryption. H33’s FHE platform provides computation on encrypted data without decryption, ensuring PHI remains protected throughout processing
  • Access Controls: Role-based access controls (RBAC) enforce minimum necessary access. Multi-factor authentication (MFA) is required for all systems containing PHI
  • Firewalls and Network Security: Production environments are segmented with security groups, NACLs, and application-level firewalls
  • Audit Logging: All access to PHI-containing systems is logged with timestamps, user identifiers, and actions taken. Logs are retained for a minimum of six (6) years
  • Automatic Session Termination: Interactive sessions with PHI-containing systems terminate after a defined period of inactivity

7.3 Physical Safeguards

  • H33’s cloud infrastructure (AWS) is hosted in SOC 2 Type II and ISO 27001 certified data centers with physical access controls, 24/7 surveillance, and environmental controls
  • Remote workforce members are required to maintain secure workspaces with screen locks, encrypted storage, and controlled access to work devices
  • Company-issued devices with PHI access capabilities must have full-disk encryption, remote wipe capability, and endpoint detection and response (EDR) software

8. Privacy Notice

While H33 operates as a Business Associate (not a covered entity), H33 supports its covered entity customers in meeting their Notice of Privacy Practices obligations. H33’s own privacy notice describes:

  • How H33 may use and disclose PHI on behalf of covered entities
  • The safeguards H33 employs to protect PHI
  • Individual rights with respect to their PHI
  • H33’s obligations under applicable BAAs
  • How to contact H33 with questions or complaints regarding privacy practices

9. Sanctions for Violations

H33 applies appropriate sanctions against workforce members who fail to comply with this policy or any related privacy procedures, as required by 45 CFR §164.530(e). Sanctions are applied consistently and are proportionate to the severity of the violation. Sanctions may include:

  • Verbal or written warnings
  • Mandatory retraining
  • Suspension of access to PHI-containing systems
  • Probation or suspension of employment
  • Termination of employment or contract
  • Referral to law enforcement in cases involving criminal conduct

The Privacy Official maintains a log of all sanctions applied, including the nature of the violation, the date, and the corrective action taken. Sanctions records are retained for a minimum of six (6) years.

10. Mitigation

H33 mitigates, to the extent practicable, any harmful effect that is known to result from a use or disclosure of PHI in violation of this policy or HIPAA requirements, as required by 45 CFR §164.530(f). Mitigation efforts may include:

  • Requesting the return or destruction of improperly disclosed PHI
  • Obtaining assurances from the recipient that the PHI will not be further used or disclosed
  • Implementing additional safeguards to prevent recurrence
  • Notifying affected individuals and covered entities as required

11. No Intimidation or Retaliation

H33 does not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising their rights under HIPAA, filing a complaint with HHS, participating in an investigation or compliance review, or opposing any act or practice that the individual believes in good faith violates HIPAA, as required by 45 CFR §164.530(g).

12. No Waiver of HIPAA Privacy

H33 does not require individuals to waive their rights under the HIPAA Privacy Rule as a condition for the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits, as required by 45 CFR §164.530(h).

13. PHI Access Limitations

Access to PHI within H33 is restricted to workforce members who require such access to perform their job functions. The following controls govern PHI access:

  • Access is granted on a need-to-know, role-based basis
  • All PHI access requests must be approved by the Privacy Official or Security Officer
  • Access rights are reviewed quarterly and revoked immediately upon change of role, termination, or when access is no longer required
  • Privileged access to PHI-containing databases and storage systems is limited to authorized engineering and operations personnel
  • All PHI access is subject to audit logging and periodic review

14. Permitted Uses and Disclosures

14.1 Plan Administration

H33 may use or disclose PHI as permitted by applicable BAAs for purposes of plan administration functions performed on behalf of covered entity customers, provided such uses and disclosures are consistent with the terms of the BAA.

14.2 Payment

H33 may use or disclose PHI as necessary for payment activities on behalf of covered entity customers, including claims processing, eligibility verification, and benefits coordination, as permitted by the applicable BAA and 45 CFR §164.506.

14.3 Health Care Operations

H33 may use or disclose PHI as necessary for health care operations of covered entity customers, including quality assessment and improvement, case management, care coordination, data analytics (on encrypted data via FHE), and business planning, as permitted by the applicable BAA and 45 CFR §164.506.

15. Minimum Necessary Standard

H33 makes reasonable efforts to limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, as required by 45 CFR §164.502(b). The minimum necessary standard is implemented through:

  • Uses: Role-based access policies that identify the persons or classes of persons who need access to PHI, and the categories or types of PHI to which access is needed
  • Routine Disclosures: Standard protocols that limit PHI disclosed to the minimum necessary for the routine, recurring purpose
  • Non-Routine Disclosures: Individual review of each non-routine disclosure request to ensure only the minimum necessary PHI is disclosed
  • Requests for PHI: When requesting PHI from another entity, H33 limits the request to the minimum necessary for the stated purpose

The minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment purposes, disclosures to the individual who is the subject of the information, uses or disclosures made pursuant to a valid authorization, disclosures to HHS for enforcement purposes, uses or disclosures required by law, or uses or disclosures required for HIPAA compliance.

16. Mandatory Disclosures

16.1 Disclosure to the Individual

H33 supports covered entities in providing individuals with access to their PHI in a designated record set, as required by 45 CFR §164.524. When an individual or their personal representative requests access to their PHI that H33 maintains on behalf of a covered entity, H33 coordinates with the covered entity to fulfill the request within the timeframes specified in Section 21.

16.2 Disclosure to HHS

H33 makes PHI available to the Secretary of HHS for purposes of determining H33’s compliance with HIPAA, as required by 45 CFR §164.502(a)(2)(ii). H33 cooperates fully with HHS investigations, compliance reviews, and enforcement activities.

17. Permissive Disclosures

H33 may use or disclose PHI without individual authorization in the following circumstances, when permitted by the applicable BAA and consistent with 45 CFR §164.512:

  • Public Health Activities: Disclosures to public health authorities for the purpose of preventing or controlling disease, injury, or disability (§164.512(b))
  • Health Oversight Activities: Disclosures to health oversight agencies for activities authorized by law, including audits, civil or criminal investigations, inspections, and licensure (§164.512(d))
  • Judicial and Administrative Proceedings: Disclosures in response to a court order, or a subpoena or discovery request accompanied by satisfactory assurance of notice to the individual or a qualified protective order (§164.512(e))
  • Law Enforcement: Disclosures to law enforcement officials for law enforcement purposes, including responses to court orders, warrants, subpoenas, grand jury subpoenas, and administrative requests that meet the requirements of §164.512(f)
  • Decedents: Disclosures to coroners, medical examiners, and funeral directors as necessary for their duties (§164.512(g))
  • Research: Disclosures for research purposes that have been approved by an institutional review board (IRB) or privacy board (§164.512(i))
  • Serious Threat to Health or Safety: Disclosures necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (§164.512(j))
  • Specialized Government Functions: Disclosures for military and veterans activities, national security and intelligence activities, and protective services for the President (§164.512(k))
  • Workers’ Compensation: Disclosures as authorized by and to the extent necessary to comply with workers’ compensation laws (§164.512(l))
  • Required by Law: Uses and disclosures that are required by federal, state, or local law (§164.512(a))

18. Individual Authorization

For uses and disclosures not otherwise permitted or required by the Privacy Rule, H33 obtains (or assists covered entities in obtaining) a valid written authorization from the individual. A valid authorization must contain the following elements per 45 CFR §164.508(c):

  • A specific and meaningful description of the information to be used or disclosed
  • The name or other specific identification of the person(s) authorized to make the use or disclosure
  • The name or other specific identification of the person(s) to whom the disclosure may be made
  • A description of each purpose of the requested use or disclosure (“at the request of the individual” is sufficient if the individual initiates the authorization)
  • An expiration date or expiration event
  • Signature of the individual and date
  • Required statements regarding the right to revoke, the ability or inability to condition treatment/payment/enrollment on the authorization, and the potential for re-disclosure

19. Identity Verification

Before disclosing PHI in response to a request, H33 verifies the identity and authority of the person requesting the information, as required by 45 CFR §164.514(h). Verification procedures vary based on the requestor:

Requestor Type Verification Method
Individual (data subject) Government-issued photo ID, date of birth confirmation, and verification questions based on information on file. For electronic requests, identity verification through the covered entity’s authentication system.
Parent / Guardian Proof of relationship (birth certificate, court order, or power of attorney) plus government-issued photo ID of the parent/guardian.
Personal Representative Documentation establishing authority to act on behalf of the individual (court order, power of attorney, health care proxy) plus government-issued photo ID of the representative.
Public Official Presentation of official credentials, agency identification, written request on official letterhead, or other evidence of authority per §164.514(h)(2).

20. Disclosures to Business Associates

H33 may disclose PHI to its own subcontractors and Business Associates only after obtaining satisfactory assurances, in the form of a written Business Associate Agreement, that the subcontractor will appropriately safeguard the information. BAA requirements include:

  • The Business Associate will use or disclose PHI only as permitted by the BAA or as required by law
  • The Business Associate will implement appropriate safeguards to prevent unauthorized uses or disclosures
  • The Business Associate will report any breaches of unsecured PHI within sixty (60) calendar days
  • The Business Associate will ensure that any subcontractors agree to the same restrictions and conditions
  • The Business Associate will make PHI available for individual access rights
  • The Business Associate will return or destroy PHI upon termination of the agreement

21. De-Identified Information

H33 may use or disclose de-identified information without restriction, provided that the information has been de-identified in accordance with 45 CFR §164.514(a)-(c). H33 supports two methods of de-identification:

  • Expert Determination (§164.514(b)(1)): A qualified statistical or scientific expert determines that the risk of identifying an individual from the information is very small, and documents the methods and results of the analysis
  • Safe Harbor (§164.514(b)(2)): All 18 types of identifiers are removed, and H33 has no actual knowledge that the remaining information could be used to identify an individual

H33’s FHE technology enables computation on encrypted data without exposing underlying PHI, providing an additional layer of de-identification during processing. However, FHE processing alone does not constitute de-identification under HIPAA; the underlying plaintext data must meet the requirements of §164.514.

22. Individual Rights

22.1 Right of Access

Individuals have the right to access and obtain a copy of their PHI in a designated record set, as required by 45 CFR §164.524. H33 supports covered entities in fulfilling access requests by:

  • Processing access requests within thirty (30) calendar days of receipt
  • Providing PHI in the format requested by the individual if readily producible, or in a readable alternative format
  • Charging only a reasonable, cost-based fee for copies, if applicable
  • If a request is denied (in whole or in part), providing a written denial with the basis for denial, a description of the individual’s right to request a review, and information on how to file a complaint with HHS
  • A single thirty (30) day extension is permitted if H33 is unable to act within the initial timeframe, provided written notice is given to the individual

22.2 Right of Amendment

Individuals have the right to request amendment of their PHI in a designated record set, as required by 45 CFR §164.526. H33 supports covered entities in processing amendment requests by:

  • Acting on amendment requests within sixty (60) calendar days of receipt
  • If the amendment is accepted, making the amendment, informing the individual, and making reasonable efforts to inform persons identified by the individual and persons known to H33 that have the PHI
  • If the amendment is denied, providing a written denial with the basis for denial (e.g., the information was not created by H33, the information is not part of a designated record set, or the information is accurate and complete) and information about the individual’s right to submit a statement of disagreement

22.3 Right to an Accounting of Disclosures

Individuals have the right to receive an accounting of disclosures of their PHI made by H33 in the six (6) years prior to the request, as required by 45 CFR §164.528. The accounting includes:

  • The date of each disclosure
  • The name and address (if known) of the entity or person who received the PHI
  • A brief description of the PHI disclosed
  • A brief statement of the purpose of the disclosure, or a copy of the authorization or written request

Certain disclosures are excluded from the accounting, including disclosures for treatment, payment, and health care operations; disclosures pursuant to an authorization; disclosures to the individual; and disclosures for national security or intelligence purposes.

22.4 Right to Request Confidential Communications

H33 supports covered entities in accommodating reasonable requests from individuals to receive communications of PHI by alternative means or at alternative locations, as required by 45 CFR §164.522(b).

22.5 Right to Request Restrictions

Individuals have the right to request restrictions on certain uses and disclosures of their PHI, as required by 45 CFR §164.522(a). While H33 is not required to agree to every restriction request, H33 will coordinate with covered entities to evaluate and, where feasible, implement requested restrictions. If a restriction is agreed to, H33 will not use or disclose the PHI in violation of that restriction except in emergency circumstances.

23. Records Retention

All records related to this policy, including privacy policies, procedures, training records, authorizations, complaints and their dispositions, sanctions, amendment requests, accounting of disclosures logs, and restriction agreements, shall be retained for a minimum of six (6) years from the date of creation or the date when the document was last in effect, whichever is later, per 45 CFR §164.530(j).

24. Review Schedule

This policy shall be reviewed and updated at least annually. The next scheduled review is March 2027. Interim reviews shall be triggered by changes in HIPAA regulations or HHS guidance, privacy incidents, audit findings, or organizational changes affecting PHI handling.

Questions about this policy?

Contact the Privacy Official at security@h33.ai or the Compliance team at compliance@h33.ai.