HIPAA Notice

Last updated: March 5, 2026

Notice of Privacy Practices for Protected Health Information

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Our Commitment to HIPAA Compliance

SnapRx is designed with a HIPAA-ready architecture from day one. While SnapRx is currently a consumer health application and may not be classified as a "covered entity" under HIPAA, we voluntarily adhere to HIPAA standards because we believe your health data deserves the highest level of protection.

We have implemented administrative, physical, and technical safeguards that meet or exceed HIPAA Security Rule requirements.

2. Protected Health Information (PHI)

The following types of information in SnapRx may qualify as PHI:

  • Medication names, dosages, and prescriber information
  • Pharmacy details and prescription numbers
  • Health metrics (blood pressure, blood sugar, weight, etc.)
  • Drug interaction alerts and health warnings
  • Medication adherence records
  • Scanned prescription label data

3. Technical Safeguards

We implement the following technical controls to protect your health information:

3.1 Access Controls

  • Unique User Identification: Every user has a unique UUID-based identifier.
  • Authentication: JWT-based with short-lived access tokens (30-minute expiry) and revocable refresh tokens (30-day expiry).
  • Token Revocation: Each token has a unique JTI (JWT ID) stored in the database, enabling instant revocation.
  • Automatic Session Termination: Inactive sessions are automatically expired.

3.2 Encryption

  • In Transit: All communications use TLS 1.3 encryption.
  • At Rest: Database encryption via Google Cloud SQL managed encryption (AES-256).
  • Password Storage: Argon2id hashing with per-user salts — the algorithm recommended by OWASP and winner of the Password Hashing Competition.

3.3 Audit Controls

  • Structured Logging: All system access is logged via structlog in JSON format.
  • Zero PII in Logs: No personally identifiable information or PHI appears in application logs.
  • Request Tracing: Every API request is tagged with a unique request ID for audit trails.

3.4 Integrity Controls

  • Input Validation: Pydantic schema validation on all API inputs.
  • Rate Limiting: Redis-backed sliding window rate limiting prevents brute-force and abuse.
  • Security Headers: Strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.

4. Administrative Safeguards

  • Minimum Necessary Standard: We only collect and process health data necessary to provide the Service.
  • Workforce Training: All team members with access to systems handling PHI receive security awareness training.
  • Incident Response: We maintain a security incident response plan and will notify affected users within 72 hours of a confirmed breach.
  • Business Associate Agreements: We maintain BAAs with service providers who may process PHI (Google Cloud Platform).

5. Physical Safeguards

  • Cloud Infrastructure: All data is hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance certifications.
  • No Local Storage: PHI is not stored on local servers. All data resides in Google Cloud's HIPAA-eligible services.
  • Workstation Security: Development workstations use full-disk encryption and multi-factor authentication.

6. Your Rights Regarding PHI

You have the right to:

  • Access: Request a copy of all health information we have about you.
  • Amendment: Request corrections to inaccurate health information.
  • Accounting of Disclosures: Request a list of when and why your PHI was shared.
  • Restriction: Request restrictions on how your health information is used.
  • Deletion: Request permanent deletion of all your health data.
  • Data Portability: Export your health data in a standard, machine-readable format.

7. Breach Notification

In the event of a breach of unsecured PHI, SnapRx will:

  • Notify affected individuals within 72 hours of discovery
  • Provide details about what information was compromised
  • Describe the steps being taken to investigate and mitigate the breach
  • Report breaches affecting 500+ individuals to the HHS Office for Civil Rights

8. Infrastructure Details

Component Service HIPAA Eligible
Application Hosting Google Cloud Run Yes
Database Cloud SQL (PostgreSQL 16) Yes
Cache / Rate Limiting Memorystore (Redis 7) Yes
OCR Processing Google Cloud Vision Yes
Container Registry Artifact Registry Yes
Secret Management Secret Manager Yes

9. Contact the Privacy Officer

For questions about this HIPAA Notice or to exercise your rights:

  • Email: hipaa@snaprx.app
  • Mail: SnapRx, Inc., Attn: Privacy Officer