1. What Is Protected Health Information (PHI)?

PHI refers to individually identifiable health information that relates to your past, present, or future physical or mental health, healthcare services received, or payment for such services. This includes your medical history, family health data, and any information that can be used to identify you.

2. How We Use and Disclose PHI

Decades uses your PHI only for authorized and necessary purposes, including:

• Providing personalized health mapping and insights
• Improving the quality and accuracy of our platform
• Conducting secure communication with users and caregivers
• Complying with applicable health and data protection laws

We do not sell or share PHI with third parties for marketing or unrelated business purposes.

3. Permitted Disclosures Without Authorization

In certain limited situations, HIPAA allows Decades to disclose PHI without your express consent, such as:

• When required by law or legal process
• To prevent or lessen a serious public health or safety threat
• For health oversight, audit, or compliance investigations
• To authorized medical professionals in case of emergency

4. Data Security and Safeguards

We maintain industry-standard administrative, physical, and technical safeguards to protect PHI from unauthorized access, alteration, disclosure, or destruction. These include:

• End-to-end data encryption (in transit and at rest)
• Multi-factor authentication and access control
• Regular security audits and HIPAA compliance reviews
• Employee training on privacy and data handling best practices

5. Your Rights Under HIPAA

You have specific rights under HIPAA concerning your PHI, including the right to:

• Access and obtain a copy of your PHI
• Request corrections to incomplete or inaccurate data
• Receive a record of disclosures made by Decades
• Restrict or revoke authorization for certain data uses
• Request secure electronic transmission of your records

To exercise these rights, please contact us using the information provided at the end of this policy.

6. Business Associates and Third Parties

Decades may engage third-party service providers (such as secure cloud storage and analytics platforms) that process PHI on our behalf. All such partners are required to sign Business Associate Agreements (“BAAs”) ensuring full HIPAA compliance and strict data confidentiality.

7. Breach Notification Policy

In the event of a data breach involving PHI, Decades will promptly notify affected users, relevant authorities, and regulatory agencies as required by HIPAA Breach Notification Rules. We will take immediate corrective measures to minimize impact and prevent recurrence.

8. Data Retention and Disposal

We retain PHI only for as long as necessary to fulfill our service obligations or as required by law. When PHI is no longer needed, it is securely deleted, de-identified, or destroyed according to HIPAA-compliant procedures.

9. Policy Updates

Decades may update this HIPAA Policy periodically to reflect changes in legal requirements, technology, or internal practices. Updates will be communicated via email or in-app notifications.

10. Contact Us

For questions, requests, or concerns about our HIPAA compliance or this policy, please contact our Privacy Officer:

Email: support@decades.health
Address: Decades Health, 700 Larkspur Landing Circle, Larkspur, CA 94939