Breakpoint HIPAA Compliance and Security Policy

Last Updated: 29 January 2025

This document describes the measures Breakpoint (operated by Cromulent Consulting, Inc.) undertakes to protect the confidentiality, integrity, and availability of user data, including any information that may be considered Protected Health Information (PHI). While Breakpoint does not function as a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), we have adopted certain practices to safeguard data in a manner consistent with HIPAA's core principles.

1. Scope of Services and PHI Handling

• Data Collected: Users typically provide only a name and email address to create and manage their Breakpoint account. However, free-form content (e.g., messages) may include user-submitted PHI.
• Not a Covered Entity or Business Associate: Breakpoint is not classified as a Covered Entity or Business Associate under HIPAA.
• Potential PHI Interaction: Any PHI that appears in free-form messages is voluntarily provided by the user. Breakpoint does not explicitly request PHI.

2. Business Associate Agreements (BAA)

• No Current BAAs: Breakpoint does not maintain formal Business Associate Agreements with partners or third-party vendors, since we are not operating as a Covered Entity or Business Associate.

3. Data Storage and Infrastructure

• Cloud Hosting: User data and any user-submitted PHI are stored on servers hosted by Hetzner and AWS, operating in secure environments within the United States.
• Security Measures: These servers are secured with firewalls, role-based access, and SSH key authentication. The database runs in a hardened Docker container for controlled isolation.
• Encrypted Backups: Periodic backups of user data are performed and encrypted following HIPAA-like best practices.
• PHI Communication: When sharing PHI with users, we only use the contact methods (email, phone, etc.) that they have explicitly provided and authorized.

4. Access Control and Authentication

• Limited Internal Access: Only privileged members of the Breakpoint team, with explicit business justification, can access the servers and database where user data may reside.
• SSH Key Security: Administrative access to production servers requires SSH key authentication, limiting risk from password-based breaches.
• Multi-Factor Authentication (MFA): MFA is used on critical systems to further protect unauthorized access.

5. Encryption and Transmission

• Encryption in Transit: All data transmitted between Breakpoint and end-users is encrypted via TLS 1.2.
• Encryption at Rest: If users submit PHI, it resides on servers with safeguards aligned to HIPAA-like guidelines.

6. Physical Security

• Cloud Provider Facilities: Hetzner and AWS maintain secure data centers with environmental controls and physical access protections.
• Team Access: Only authorized personnel can interact with the live production environment. Physical access to these servers is solely under the control of the cloud providers.

7. Policies and Procedures

The following policies and procedures address privacy, security, and breach handling:

• Privacy Policy: Describes how we collect, use, and protect user data. Published on our website.
• Security Policy:
  • All data-handling workflows follow role-based access control.
  • Periodic reviews of application code and infrastructure are conducted to identify and mitigate vulnerabilities.
  • Incident response and breach notification steps (see Section 10) are established to address any suspected compromise.
• Breach Notification Policy: Outlined in Section 10 to swiftly identify, investigate, and disclose breaches of user data.

8. Employee Training and Management

• Staff Awareness: Individuals with privileged access receive training on data security and handling protocols.
• Onboarding/Offboarding: Access levels are granted or revoked immediately upon changes in role or employment status.

9. Audit Trails and Monitoring

• Access Logs: Server-level and application-level access logs record authentication events and system changes.

10. Breach Notification Protocol

Breakpoint is committed to timely disclosure of any incident that jeopardizes user-submitted data, including any PHI:

1. Investigation: Upon detection of a breach, a security team promptly evaluates the nature and scope of the suspected breach.
2. Containment: Steps are taken to isolate affected systems, remove unauthorized access, and prevent additional data exposure.
3. Notification: Users potentially impacted by a confirmed breach are notified. If legally required, regulatory bodies are also informed.
4. Remediation: Following containment, we review policies, update protocols, and implement additional safeguards as needed to prevent future incidents.

11. Data Retention and Disposal

• Retention Period: User data, including any user-submitted PHI, remains in our system until the user elects to delete their account.
• Disposal: When a user deletes an account, data is securely removed from production systems. Backup copies eventually expire as part of our rolling backup schedule.

12. Ongoing Compliance Assessments

• Internal Reviews: Regular checks on security measures, updates to the policy, and reviews of access logs are performed to maintain best practices for data protection.
• Gap Analysis: Any identified gaps in security are promptly remediated.

13. User Rights and Requests

• Data Access: Users can view and manage all submitted content through their account. This allows them to review any data that could be construed as PHI.
• Requests to Update or Restrict PHI: Users seeking to correct, remove, or place restrictions on their data should email [email protected].

14. Disclaimer and Limitations

• No Medical Advice: Breakpoint does not replace professional healthcare, therapy, or medical advice. Any content within the platform is for informational or personal use and does not serve as a substitute for professional diagnosis or treatment.
• No Covered Entity Relationship: Because Breakpoint is not a Covered Entity or Business Associate under HIPAA, users who choose to include PHI do so at their discretion.

15. Contact Information

If you have questions regarding HIPAA-related issues, data security, or any portion of this policy, please reach out to our designated Security Officer:

• Email: [email protected]

References and Further Reading

• U.S. Department of Health & Human Services: HIPAA for Professionals
• HIPAA Security Rule Guidance

By using Breakpoint, you acknowledge your understanding of how data, including user-submitted PHI, is handled under these guidelines. Cromulent Consulting, Inc. reserves the right to update or modify this policy as needed to enhance security measures or comply with evolving requirements.