Scanner — HIPAA Compliance & Data Storage Guide

⚖

Does HIPAA Apply to Us?

Short answer: maybe not yet, but build for it anyway

▼

HIPAA applies to covered entities (hospitals, doctors, health plans, insurers) and their business associates (anyone who handles PHI on their behalf). A standalone consumer wellness app that doesn't integrate with healthcare providers is technically NOT a covered entity.

But here's what DOES apply to you right now:

FTC Health Breach Notification Rule — applies to ALL health apps and personal health records, even if HIPAA doesn't. If you have a breach involving health data, you must notify affected users and the FTC. Penalties are real.

When HIPAA kicks in:

⚠ You partner with a clinic, doctor's office, or hospital that sends patients to your app
⚠ An employer uses your scanner for employee wellness programs
⚠ An insurance company integrates your scan data into their risk assessment
⚠ A practitioner uses your platform to track patient health over time

Why build for HIPAA anyway

Building HIPAA-compliant from day one is 10x cheaper than retrofitting. It's also a competitive advantage — "HIPAA-compliant" on your marketing materials builds trust instantly. And when that first clinic or employer comes knocking, you're ready.

📜

HIPAA Rules — What Each One Means

Plain-English breakdown of every requirement

▼

Rule	What It Means	How to Implement	Cost
Encryption at Rest	PHI must be encrypted when stored on any disk, database, or backup	Industry-standard AES-256 encryption on every stored marker value. Built into the platform — no extra configuration required.	$0 (built-in)
Encryption in Transit	PHI must be encrypted during transfer between client and server	HTTPS-only (TLS 1.2+) is enforced platform-wide. No unencrypted endpoints anywhere in the data flow.	$0 (default)
Access Controls	Only authorized users can see health data. Minimum necessary access.	Row-level access control. Each user can only read their own data. No global admin view without an audited approval flow.	$0 (built-in)
Audit Trail	Log every access to PHI: who, when, what, from where. Keep 6 years.	Every read and write of PHI is logged with user, timestamp, action, and source. 6-year retention policy.	~$5/mo storage
BAA	Written agreement with every vendor that touches PHI	BAAs are signed with every vendor that touches PHI. Brand partners receive a current BAA list on request.	Included
Minimum Necessary	Only collect and store what's needed. Don't over-collect.	Store marker values only. No raw video, no camera frames, no audio recordings. Delete raw data immediately after processing.	$0 (architecture decision)
Breach Notification	Notify affected users within 60 days of discovering a breach. Notify HHS if >500 people affected.	Incident response plan document. Email notification system. Breach assessment template.	$0 (document)
Data Disposal	Delete PHI when no longer needed. Users must be able to delete their data.	"Delete my data" button. Cascading delete on user account deletion. Auto-purge policy (e.g., 3 years inactive).	$0 (code)
Risk Assessment	Annual assessment of risks to PHI. Document threats and mitigations.	Annual review document. Can be simple spreadsheet for a startup. Update when architecture changes.	$0 (document)

🚫

What NOT to Store — Ever

Data that should be processed and immediately discarded

▼

Data Type	Process?	Store?	Why
Raw camera video frames	✓ In memory	✗ Never	Facial biometric data under BIPA/GDPR. Process → extract markers → discard frames immediately.
Audio recordings (voice/breath)	✓ In memory	✗ Never	Voice is biometric. Extract features → discard audio.
Tongue/nail photos	✓ In memory	✗ Never	Medical images. Process → extract color/texture values → discard photos.
Face mesh coordinates	✓ In memory	✗ Never	Biometric identifier. Use for rPPG ROI extraction only → discard.
Marker values (numbers)	✓	✓ Encrypted	This is what you store — just the 346 numeric results. No images, no video, no audio.
Scan metadata (date, types)	✓	✓ OK	"User did a face scan on April 13" is low-risk metadata.
User profile (age, sex, height)	✓	✓ Encrypted	Needed for age/sex-normalized reference ranges.

Critical Rule

The camera feed, audio, and photos must NEVER leave the device or be stored anywhere — not on the server, not in a temp file, not in a log. Process in a Web Worker or OffscreenCanvas, extract the numeric markers, and let the garbage collector destroy the raw data.

🎯

Bottom line: The platform is built HIPAA-ready from day one. The key rule across every integration: store numbers only, never images or audio, encrypt everything, and let users delete their data on demand. Brand partners who use the platform inherit this posture by default — no additional infrastructure work required on the partner side.