BioLoop
Get Started

HIPAA & health information

Last updated: April 9, 2026

This notice is not legal advice and is not a substitute for a Notice of Privacy Practices (NPP), Business Associate Agreement (BAA), or counsel-reviewed HIPAA compliance program. Whether HIPAA applies to BioLoop in your situation is a legal determination.

When HIPAA may matter

HIPAA regulates certain covered entities (for example, many health care providers and health plans) and their business associates when they create, receive, maintain, or transmit protected health information (PHI) in connection with covered transactions. Consumer wellness products do not always fall under HIPAA; the facts of your offering, your relationships with labs and clinicians, and how data flows must be analyzed by counsel.

How we approach safeguards

Regardless of HIPAA applicability, we design the Services with security and privacy in mind, including:

  • Encryption of data in transit (HTTPS) and reliance on infrastructure providers that support encryption at rest.
  • Access controls and authentication for accounts.
  • Database policies that restrict user data to the authenticated account where applicable.
  • Vendor review for subprocessors that process sensitive information (for example: hosting, database, lab APIs, payments, AI).

AI and health information

Features that send messages or context to AI providers may process sensitive topics. You should assume that any information you enter could be processed according to our Privacy Policy and the AI provider's terms. Counsel should confirm whether BAAs or other agreements are required for your intended use of PHI with AI vendors.

Your rights (HIPAA and otherwise)

Where HIPAA applies, individuals may have rights such as access, amendment, and an accounting of disclosures, subject to exceptions. Where HIPAA does not apply, other laws (state consumer privacy, GDPR, etc.) may still grant rights. Contact privacy@bioloop.com for requests. We will respond consistent with applicable law after verification.

Breach notification

If we determine a breach of unsecured PHI requires notification under HIPAA, we will follow applicable regulatory timelines and methods. Internal security incident procedures should be maintained by your operations team.

Internal inventory

Engineering maintains a working subprocessor and data-flow inventory for security reviews (see repository docs/hipaa-subprocessor-inventory.md). Counsel may wish to publish a customer-facing subprocessor list separately.