HIPAA Compliance

HIPAA Compliance Statement

Effective Date: May 30, 2025

Important Notice About HIPAA Applicability

Generate Nexus is committed to protecting your personal information and maintaining the highest standards of data security. However, it's important to understand the current scope of our services in relation to HIPAA (Health Insurance Portability and Accountability Act) requirements.

Current Service Scope

Standard Nexus Letter Service ($75)

Our current standard service does not fall under HIPAA regulations because:

  • We do not provide medical care, treatment, or diagnosis
  • We are not a covered entity under HIPAA (healthcare provider, health plan, or healthcare clearinghouse)
  • Our letters are written based on information you provide, not medical records
  • We do not access your medical records or protected health information

Information We Handle

The information we collect for our standard service includes:

  • Personal contact information
  • Military service history
  • Self-reported medical condition descriptions
  • VA claim-related information

This information, while sensitive, does not constitute PHI under HIPAA definitions when used for non-medical nexus letter writing purposes.

Future Medical Professional Review Service

Coming Soon: We are developing a Medical Professional Review service that will include licensed medical professionals. When this service launches:

  • We will become HIPAA-compliant as a covered entity
  • Full HIPAA protections will apply to all PHI handled
  • We will implement comprehensive HIPAA policies and procedures
  • All medical professional interactions will meet HIPAA standards
  • We will provide detailed HIPAA privacy notices and patient rights information

Current Data Protection Measures

While not required to be HIPAA-compliant for our current service, we implement robust security measures that meet or exceed industry standards:

Technical Safeguards

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Audit Logs: Comprehensive logging of all data access and modifications
  • Secure Infrastructure: SOC 2 compliant hosting with regular security assessments

Physical Safeguards

  • Secure Data Centers: Enterprise-grade facilities with 24/7 monitoring
  • Environmental Controls: Climate-controlled environments with backup power
  • Access Restrictions: Biometric and badge-controlled access to server areas
  • Equipment Disposal: Secure destruction of all storage devices

Administrative Safeguards

  • Privacy Policies: Clear policies governing data collection and use
  • Staff Training: Regular training on data protection and privacy principles
  • Incident Response: Documented procedures for security incident management
  • Vendor Management: All third-party providers bound by strict confidentiality agreements

Information Security Principles

We adhere to the following security principles:

Minimum Necessary Standard

We collect and access only the minimum information necessary to provide our nexus letter service.

Purpose Limitation

We use your information solely for creating and delivering your nexus letter and providing customer support.

Data Integrity

We maintain accurate, complete, and up-to-date information through secure systems and regular validation.

Confidentiality

All information is treated as confidential and accessed only by authorized personnel on a need-to-know basis.

Third-Party Service Providers

Any third-party vendors we work with must:

  • Sign comprehensive confidentiality agreements
  • Implement appropriate security measures
  • Limit access to information on a need-to-know basis
  • Meet our security and privacy standards

Current third-party categories include:

  • Payment Processing: PCI DSS compliant payment processors
  • Email Services: Encrypted email delivery platforms
  • Cloud Infrastructure: SOC 2 compliant hosting providers
  • Analytics: Privacy-focused analytics with data anonymization

Data Breach Response

In the unlikely event of a security incident:

  1. Immediate Response: Containment and assessment within 24 hours
  2. Investigation: Thorough investigation to determine scope and cause
  3. Notification: Prompt notification to affected users as required by law
  4. Remediation: Implementation of corrective measures to prevent recurrence
  5. Documentation: Complete documentation of incident and response actions

Your Rights and Controls

You have the following rights regarding your information:

Access Rights

  • Request copies of information we maintain about you
  • Review how your information is being used
  • Understand who has accessed your information

Correction Rights

  • Request correction of inaccurate information
  • Update your contact and service information
  • Modify preferences for communications

Deletion Rights

  • Request deletion of your information (subject to legal requirements)
  • Close your account and remove personal data
  • Opt out of future communications

Portability Rights

  • Receive your information in a structured, commonly used format
  • Transfer your information to another service provider
  • Download your nexus letter and related documents

Compliance Monitoring

We regularly:

  • Review Policies: Annual review and update of all privacy and security policies
  • Conduct Assessments: Regular security and privacy risk assessments
  • Monitor Access: Continuous monitoring of data access and usage
  • Train Staff: Ongoing training on privacy and security best practices
  • Test Systems: Regular penetration testing and vulnerability assessments

Future HIPAA Compliance

When we launch our Medical Professional Review service, we will:

Become a Covered Entity

  • Obtain all necessary HIPAA certifications
  • Implement comprehensive HIPAA compliance program
  • Provide detailed HIPAA privacy notices
  • Establish patient rights procedures

Enhanced Protections

  • Business Associate Agreements with all vendors
  • HIPAA-compliant data backup and recovery
  • Enhanced audit trails and monitoring
  • Formal breach notification procedures

Medical Professional Standards

  • Licensed medical professionals bound by HIPAA
  • Secure medical record handling and storage
  • Proper PHI transmission and communication
  • Medical ethics and professional standards compliance

Contact Information

For questions about our data protection practices or to exercise your rights:

  • Privacy Officer: privacy@generatenexus.com
  • General Support: support@generatenexus.com
  • Address: Generate Nexus, LLC

Regulatory Compliance

We maintain compliance with applicable regulations including:

  • State Privacy Laws: California Consumer Privacy Act (CCPA) and similar state laws
  • Federal Regulations: FTC privacy and security guidelines
  • Industry Standards: SOC 2, ISO 27001 principles
  • Payment Security: PCI DSS for payment processing

Updates to This Statement

We will update this HIPAA Compliance Statement when:

  • We launch new services that require HIPAA compliance
  • Regulations or standards change
  • We implement new security measures or procedures
  • Legal requirements are updated

All changes will be posted on our website with updated effective dates.

This HIPAA compliance statement was last updated on May 30, 2025.

Note: This statement reflects our current standard nexus letter service. When we launch our Medical Professional Review service, we will provide comprehensive HIPAA compliance documentation and patient rights information.