HIPAA Statement

Updated 26.03.25

HIPAA Statement

PulseGuard AI, Inc.
Effective: September 7, 2025

Our role under HIPAA

  • PulseGuard AI acts as a Business Associate to Covered Entities and their Business Associates.
  • We process PHI only as instructed in a signed Business Associate Agreement (BAA).
  • Read-only pilots are supported; writebacks (notes, messages, orders) are enabled only after site approval.

What we process (minimum necessary)

  • Results & reports: radiology reports (incidental findings), lab results/culture finals and sensitivities.
  • Context: encounters, problems/diagnoses, orders/referrals, message metadata, and note references needed to confirm documentation.
  • We avoid unnecessary identifiers and do not use PHI for advertising or model training.

Data segregation

  • No PHI in development or demos. Separate sandbox with synthetic/de-identified data.
  • Production, staging, and dev are isolated; access is least-privilege.

Safeguards

Administrative

  • Executed BAAs, workforce HIPAA training, background checks.
  • Role-based access control (RBAC), MFA, least privilege.
  • Vendor risk management and annual risk assessments.
  • Documented incident response and disaster recovery plans.

Technical

  • Encryption in transit and at rest (TLS 1.2+; AES-256).
  • SSO/MFA, audit logs, immutable event history.
  • Network segmentation and secret management (key vault).
  • Backups and data-retention controls per contract.

Physical

  • Hosted on secure Microsoft Azure U.S. data centers; no on-prem servers.

Subprocessors (PHI-capable)

  • Microsoft Azure (hosting, storage, security services).
  • Redox (EHR connectivity).
    (Marketing-only tools like Webflow, Simple Analytics, and Zoho Mail do not handle PHI.)
    We maintain BAAs/DPAs as appropriate and update our list when it changes.

Patient rights

PulseGuard AI does not respond to patient HIPAA requests directly. Individuals should contact their healthcare provider. We assist the Covered Entity as required by the BAA.

Breach notification

We notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery of a breach, or earlier if required by the BAA or law. Security events are triaged promptly and documented.

Retention & deletion

PHI is retained only for the term and purpose of the BAA. Upon contract end, we return or destroy PHI within the timeframe specified by the BAA (subject to legal holds).

Questions

security@pulseguardai.com
PulseGuard AI, Inc.

This statement summarizes our HIPAA posture and does not replace the executed BAA, which controls in the event of any conflict.

Products
PulseTrackChartShield (Preview)
For Teams
For CliniciansFor BusinessPilot Program
Resources 
BlogCase StudiesSecurity one-pagerKPI sheet Pilot checklistVideo Demo
Resources 
HIPAA StatementPrivacy Terms
Main logo link that leads to home page
Copyright © 2025 PulseGuard AI, Inc. All rights reserved.