HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of Protected Health Information (PHI). When Kobayashi Group develops or operates healthcare technology platforms on behalf of Covered Entities — such as healthcare providers, health plans, and healthcare clearinghouses — we function as a Business Associate as defined under HIPAA.

As a Business Associate, we are contractually and legally obligated to implement and maintain appropriate administrative, physical, and technical safeguards to protect any PHI we create, receive, maintain, or transmit on your behalf.

Before accessing, processing, or storing PHI for any client, Kobayashi Group requires a fully executed Business Associate Agreement (BAA). Our BAA addresses:

• Permitted uses and disclosures of PHI
• Obligations and activities of each party
• Safeguards required to protect PHI
• Reporting obligations for breaches or security incidents
• Provisions for the return or destruction of PHI upon contract termination

If your engagement with Kobayashi Group involves PHI and you do not yet have a BAA in place, please contact us at hello@kobayashigroup.io.

Our administrative safeguards include:

• Security Management Process: Risk analysis and risk management procedures to identify and mitigate vulnerabilities to PHI.
• Workforce Training: Regular HIPAA training for all personnel who may access or handle PHI in the course of client engagements.
• Access Authorization: Formal procedures for granting access to PHI on a least-privilege, need-to-know basis.
• Incident Response: Documented procedures for identifying, responding to, and reporting security incidents and potential breaches.
• Contingency Planning: Data backup plans and disaster recovery procedures to ensure availability of systems containing PHI.

For systems and applications we build or operate that handle PHI, we implement:

• Encryption at rest and in transit: All PHI is encrypted using AES-256 at rest and TLS 1.2+ in transit.
• Unique User Identification: Each user accessing PHI is assigned a unique identifier to enable activity tracking and accountability.
• Automatic Logoff: Applications are configured to automatically terminate sessions after periods of inactivity.
• Audit Controls: Hardware and software activity logs are maintained to record access to systems containing PHI.
• Integrity Controls: Mechanisms are in place to authenticate PHI and ensure it has not been altered or destroyed in an unauthorized manner.
• Transmission Security: Technical security measures guard against unauthorized access to PHI transmitted over electronic networks.

Physical safeguards for PHI-handling systems include:

• All PHI is hosted in SOC 2 Type II certified cloud infrastructure (AWS or equivalent) with restricted physical access to data centers.
• Workstations used by personnel with access to PHI are subject to device management policies including full-disk encryption and remote wipe capability.
• PHI is never stored on portable physical media without documented authorization and encryption.

In the event of a confirmed or suspected breach of unsecured PHI, Kobayashi Group will notify the affected Covered Entity without unreasonable delay and no later than 60 days of discovery, as required under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414). Notification will include the nature of the breach, the types of PHI involved, steps individuals can take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for questions.

When Kobayashi Group engages subcontractors or third-party vendors who may access PHI in the course of services provided on your behalf, we require those parties to execute a Business Associate Agreement with us that provides the same level of protections required under your BAA with Kobayashi Group. We maintain a list of subprocessors upon request.

For platforms we build on behalf of Covered Entities, we design our systems to support patients' HIPAA rights, including:

• The right to access and obtain copies of their health records
• The right to request amendments to their records
• The right to an accounting of disclosures
• The right to request restrictions on use and disclosure
• The right to receive communications through alternative means or locations

Implementation of these rights is ultimately the responsibility of the Covered Entity. Kobayashi Group provides the technical capabilities to enable compliance.

This page describes Kobayashi Group's approach to HIPAA compliance in the context of client engagements involving PHI. The Kobayashi Group marketing website (kobayashigroup.io) itself does not collect, store, or process Protected Health Information. HIPAA obligations are activated only when we enter into a client engagement that involves PHI under a signed BAA.

For BAA requests, HIPAA-related inquiries, or to report a potential security incident, contact us at hello@kobayashigroup.io. Kobayashi Group, San Francisco, CA.