Decades HIPAA Policy
Effective Date:
June 25, 2026
Last Updated:
June 25, 2026
Company:
Decades Health Inc.
Address:
112 N Curry St
Carson City, NV 89703-4934
United States
Email:
apps@decades.health
Phone:
+1 424-239-9290
IN ONE LINE: DECADES IS GENERALLY NOT A HIPAA "COVERED ENTITY" OR "BUSINESS ASSOCIATE," SO THE HEALTH INFORMATION YOU ENTER MAY NOT BE GOVERNED BY HIPAA. EVEN SO, WE APPLY HIPAA-ALIGNED SAFEGUARDS AND MAINTAIN A BUSINESS ASSOCIATE AGREEMENT (BAA) WITH OUR CLOUD DATABASE AND STORAGE PROVIDER FOR THE HEALTH INFORMATION IT STORES.
Table of Contents
1. Why We Provide This Notice
Decades handles sensitive health and family information, and many people assume that all such information is automatically protected by the federal Health Insurance Portability and Accountability Act ("HIPAA"). That assumption is often incorrect. We provide this Notice to explain, clearly and honestly:
|
This Notice Explains |
|
Whether HIPAA applies to the information you store in the Services; |
|
What safeguards we apply to your health information regardless of HIPAA; and |
|
Which laws and rights actually govern your information. |
THIS NOTICE IS FOR GENERAL INFORMATIONAL PURPOSES AND IS NOT LEGAL ADVICE.
2. What HIPAA Is — In Plain Language
HIPAA is a federal law that sets privacy and security rules for "protected health information" ("PHI") held by, or handled for, certain regulated organizations. HIPAA applies to two main types of organizations:
|
Organization Type |
Meaning |
|
Covered entities |
Health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically in connection with certain transactions; and |
|
Business associates |
Vendors that perform functions or services involving PHI for or on behalf of a covered entity. |
KEY CONCEPT. A "BUSINESS ASSOCIATE" RELATIONSHIP ARISES SPECIFICALLY WHERE AN ENTITY HANDLES PHI FOR OR ON BEHALF OF A COVERED ENTITY. SIMPLY HOLDING HEALTH INFORMATION THAT A CONSUMER GIVES YOU DIRECTLY DOES NOT, BY ITSELF, MAKE AN ORGANIZATION A COVERED ENTITY OR BUSINESS ASSOCIATE.
3. Our HIPAA Status
DECADES IS GENERALLY NOT A HEALTHCARE PROVIDER, HEALTH PLAN, OR HEALTHCARE CLEARINGHOUSE, AND WE GENERALLY DO NOT ACT AS A HIPAA "COVERED ENTITY" OR "BUSINESS ASSOCIATE." AS A RESULT, HEALTH INFORMATION YOU STORE IN THE SERVICES MAY NOT BE SUBJECT TO HIPAA IN ALL CIRCUMSTANCES.
In most cases, the information you enter into Decades is information you voluntarily provide directly to us as a consumer — not PHI received from, or handled on behalf of, a covered entity. Because of this, WE GENERALLY DO NOT DESCRIBE YOUR INFORMATION AS "HIPAA-PROTECTED," AND WE ARE CAREFUL NOT TO OVERSTATE OUR HIPAA STATUS.
MAINTAINING THE SAFEGUARDS AND BAA DESCRIBED IN THIS NOTICE DOES NOT, BY ITSELF, MAKE DECADES A COVERED ENTITY OR BUSINESS ASSOCIATE.
4. When HIPAA May or May Not Apply
Whether HIPAA applies depends on how a particular piece of information reaches us:
|
Situation |
HIPAA Treatment |
|
Typically NOT covered by HIPAA |
Information you type into the app yourself, documents you upload, lifestyle and family information you record, and similar consumer-submitted data. This is the large majority of information in the Services. |
|
Potentially different treatment |
If, in a specific arrangement, we were ever to receive or handle PHI on behalf of a covered entity (for example, under a future partnership), that specific processing could be subject to HIPAA and a corresponding BAA. We do not currently operate the Services in that capacity for consumer users. |
If your HIPAA status matters to you for a specific situation, please consult a qualified professional and contact us at apps@decades.health with any questions.
5. HIPAA-Aligned Safeguards We Apply
Even where HIPAA does not legally apply, we design our infrastructure to incorporate safeguards aligned with the standards reflected in HIPAA's Security and Privacy Rules. These include:
|
Safeguard |
|
Encryption of data in transit and at rest; |
|
Row-Level Security (RLS) and private, access-controlled storage so that, by default, access is limited to the record owner, subject to necessary administrative, security, legal, or support access. |
|
Temporary, expiring signed URLs for AI document processing (links expire after approximately ten (10) minutes); |
|
Access controls, authentication, and the principle of least privilege; |
|
Audit logging, vulnerability management, and periodic security testing; |
|
SSL/TLS-encrypted web intake forms for family-member submissions; |
|
Encrypted backups, disaster-recovery planning, and incident-response procedures. |
A NOTE ON TERMINOLOGY. WE DESCRIBE THESE AS HIPAA-ALIGNED SAFEGUARDS AND OUR INFRASTRUCTURE AS HIPAA-CAPABLE WHERE APPLICABLE. WE AVOID THE PHRASE "HIPAA-COMPLIANT" AS A BLANKET CLAIM, BECAUSE FULL HIPAA COMPLIANCE IS AN ORGANIZATION-WIDE REGULATORY STATUS RATHER THAN SOMETHING ESTABLISHED BY SAFEGUARDS AND VENDOR AGREEMENTS ALONE. NO METHOD OF TRANSMISSION OR STORAGE IS COMPLETELY SECURE, AND WE CANNOT GUARANTEE ABSOLUTE SECURITY.
6. Business Associate Agreements and Vendor Configuration
We maintain a Business Associate Agreement (BAA) with our cloud database and storage provider, the key provider that stores health information on our behalf, as a precautionary contractual measure, and we configure that service for sensitive data:
6.1 Database and File Storage — Cloud Database and Storage Provider
Your account, profile, health, family, and document data are stored with our cloud database and storage provider, in a project that is covered by a signed BAA with the HIPAA add-on enabled for that organization and project. Our provider requires both a signed BAA and the HIPAA add-on for projects handling PHI, and we maintain that configuration for the project used by the Services. Data is held in private, encrypted storage protected by Row-Level Security.
6.2 AI Processing — AI Service Provider
When information is processed to generate insights, your Health Blueprint or document summaries, it is analyzed using our AI service provider's API under that provider's standard API terms. UNDER THOSE TERMS, YOUR INPUTS ARE NOT USED TO TRAIN THE PROVIDER'S MODELS, THOUGH THE PROVIDER MAY RETAIN INPUTS FOR A LIMITED PERIOD AS PERMITTED UNDER ITS STANDARD TERMS. We do not send sensitive contact details (such as email address, phone number, or mailing address) to our AI provider.
IF WE PUT A BUSINESS ASSOCIATE AGREEMENT OR ZERO DATA RETENTION ("ZDR") CONFIGURATION IN PLACE FOR AI PROCESSING, OR OTHERWISE CHANGE OUR AI PROVIDER OR CONFIGURATION, WE WILL UPDATE THIS NOTICE.
6.3 Other Providers
Other providers (such as authentication, notification, and messaging services) receive only the limited information needed to perform their function, under contractual protections, and contact details used for invitations are not sent to our AI provider. See the third-party-providers section of our Privacy Policy for the full list.
7. What Laws Actually Govern Your Information
Because HIPAA generally does not apply, your information is primarily governed by this Notice, our Privacy Policy, and applicable U.S. consumer-privacy and consumer-health-data laws, which may include:
|
Law |
Description |
|
Washington's My Health My Data Act (MHMDA) |
Consumer-health-data disclosures, consent, and deletion rights; |
|
Nevada's consumer health data law |
Requirements for a consumer health data privacy policy and related protections; |
|
California law, including the CCPA/CPRA and the Confidentiality of Medical Information Act (CMIA) where applicable |
California privacy and medical-information protections; and |
|
other comprehensive U.S. state privacy laws |
Other applicable state privacy rights and obligations. |
THESE LAWS — NOT HIPAA — ARE GENERALLY THE SOURCE OF YOUR LEGAL RIGHTS OVER THE INFORMATION YOU PROVIDE TO DECADES. See our Privacy Policy, including its state-specific consumer health data notices in Section 27, for the detailed disclosures and rights under each.
8. Breach Notification
If we become aware of a security incident that compromises personal or health information, we will investigate and respond in accordance with applicable law. BECAUSE HIPAA'S BREACH NOTIFICATION RULE MAY NOT APPLY TO US, THE RELEVANT OBLIGATIONS MAY INSTEAD INCLUDE THE FTC HEALTH BREACH NOTIFICATION RULE AND APPLICABLE STATE BREACH NOTIFICATION AND CONSUMER HEALTH DATA LAWS. Where required, we will notify affected users and relevant authorities within the timeframes and by the methods the law prescribes.
9. Your Rights and Choices
You can exercise rights over your information — such as access, correction, deletion, consent withdrawal, and appeals — as described in our Privacy Policy, or by contacting apps@decades.health. WE WILL VERIFY REQUESTS AND RESPOND WITHIN THE TIMEFRAMES REQUIRED BY APPLICABLE LAW. Parents or guardians may review, correct, or delete a minor child's information that they added to the Services.
10. Important Clarifications
|
Clarification |
Details |
|
WE DO NOT OVERSTATE HIPAA. |
We describe our protections as HIPAA-aligned and our infrastructure as HIPAA-capable where applicable; we do not claim to be a HIPAA covered entity or business associate for consumer-submitted data. |
|
A BAA DOES NOT CONFER HIPAA STATUS. |
Holding a BAA with a vendor is a protective measure and does not make Decades a covered entity or business associate. |
|
NOT LEGAL ADVICE. |
This Notice is informational and does not constitute legal advice. Your specific circumstances may differ. |
|
NOT MEDICAL ADVICE. |
The Services are informational and general-wellness tools and are not a substitute for professional medical advice, diagnosis, or treatment. |
11. Changes to This Notice
We may update this HIPAA Notice from time to time. When we do, we will revise the "Last Updated" date above and, for material changes, provide notice through the Services or by other appropriate means. THE MOST CURRENT VERSION ALWAYS GOVERNS.
12. Contact Us
Point of Contact:
Amy Samuel
Company:
Decades Health Inc.
Address:
112 N Curry St
Carson City, NV 89703-4934
United States
Email:
apps@decades.health
Phone:
+1 424-239-9290