HIPAA Compliance Statement

1. REGULATORY STATUS

1.1 Not a Covered Entity

Patient Privacy Index does not meet the definition of a "Covered Entity" under 45 C.F.R. § 160.103. Specifically, we are not:

• A health plan
• A healthcare clearinghouse
• A healthcare provider who transmits any health information in electronic form

1.2 Not a Business Associate

Patient Privacy Index does not meet the definition of a "Business Associate" under 45 C.F.R. § 160.103. We do not:

• Create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity
• Perform functions or activities involving the use or disclosure of PHI
• Provide services to Covered Entities that involve access to PHI

1.3 Independent Third-Party Observer

Our platform operates as an independent third-party assessment and editorial platform, analogous to consumer reporting agencies, security rating services, or industry analysts. We analyze publicly available technical data and publish algorithmic assessments thereof.

2. ABSENCE OF PHI HANDLING

2.1 Data Sources

All data analyzed by Patient Privacy Index is derived exclusively from:

• Public DNS Records: Domain registration information, MX records, SPF/DKIM configurations
• Public Web Content: HTML source code, JavaScript files, CSS stylesheets
• Network Observations: SSL/TLS certificates, HTTP headers, server responses
• Third-Party Scripts: Detection of analytics pixels, advertising tags, tracking beacons
• Public Business Records: State licensing databases, corporate registrations

2.2 Explicit Exclusions

Patient Privacy Index explicitly does NOT access, collect, or process:

• Individual patient names, addresses, or contact information
• Medical record numbers or health plan beneficiary numbers
• Social Security numbers or other government-issued identifiers
• Dates of birth, admission, discharge, or death
• Biometric identifiers or full-face photographs
• Any other individually identifiable health information

3. METHODOLOGY AND SCOPE LIMITATIONS

3.1 Passive Scanning Only

Our technical assessments are conducted through passive observation of publicly accessible resources. We do not:

• Attempt to bypass authentication mechanisms
• Access password-protected areas of websites
• Submit forms with test data
• Perform vulnerability scans that could alter system state
• Conduct penetration testing or exploitation attempts
• Access internal networks or systems

3.2 No Patient Portal Access

Patient Privacy Index does not attempt to access, analyze, or interact with:

• Patient portals or member login systems
• Electronic Health Record (EHR) interfaces
• Appointment scheduling systems containing patient data
• Payment or billing portals
• Secure messaging platforms

4. ALGORITHMIC OPINION DISCLAIMER

4.1 Not a HIPAA Audit

The assessments, ratings, and scores provided by Patient Privacy Index DO NOT CONSTITUTE:

• Official HIPAA compliance audits
• Office for Civil Rights (OCR) investigations
• Certifications of HIPAA compliance status
• Legal determinations of regulatory compliance
• Professional security assessments

4.2 Editorial and Algorithmic Nature

All ratings (A-F) and scores represent algorithmic opinions derived from automated technical analysis of publicly available data. These assessments are:

• Generated without human review of individual entities
• Based on heuristics and technical indicators only
• Not substitutes for professional legal or compliance advice
• Subject to limitations inherent in automated analysis

5. REFERENCE TO HIPAA STANDARDS

5.1 45 C.F.R. § 164.312

Our assessments reference 45 C.F.R. § 164.312 (Technical Safeguards) as a framework for evaluating publicly observable security practices. However:

• Reference to this regulation does not imply HIPAA jurisdiction over our operations
• Our analysis is limited to publicly visible technical implementations
• We do not assess administrative or physical safeguards
• We do not evaluate internal policies or procedures

5.2 No Regulatory Authority

Patient Privacy Index has no regulatory authority and does not:

• Issue findings of HIPAA violations
• Impose penalties or sanctions
• Report entities to HHS or other regulatory bodies
• Make referrals to law enforcement

6. DATA BREACH NOTIFICATION

6.1 No PHI at Risk

As Patient Privacy Index does not collect, maintain, or process Protected Health Information, a data breach affecting our systems would not implicate HIPAA breach notification requirements under 45 C.F.R. § 164.400 et seq.

6.2 General Security Incidents

In the event of a security incident affecting our platform, we will:

• Assess the nature and scope of the incident
• Notify affected users as required by applicable law
• Cooperate with law enforcement as appropriate
• Take remedial measures to prevent recurrence

7. HEALTHCARE PROVIDER RELATIONSHIPS

7.1 No Treatment Relationships

Patient Privacy Index does not provide healthcare services and has no treatment, payment, or healthcare operations relationships with any Covered Entity.

7.2 B2B Services

Services offered to healthcare providers (manual audits, remediation reports) are business-to-business consulting services that do not involve access to PHI. These services are:

• Conducted based on publicly available information
• Delivered to authorized representatives only
• Subject to separate contractual terms
• Not subject to HIPAA Business Associate Agreement requirements

8. COMPLIANCE WITH OTHER REGULATIONS

While not subject to HIPAA, Patient Privacy Index maintains compliance with:

• Federal Trade Commission Act (Section 5 - Unfair or Deceptive Practices)
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• General Data Protection Regulation (GDPR) where applicable
• State data breach notification laws
• Computer Fraud and Abuse Act (CFAA) limitations

9. CONTACT AND INQUIRIES

For questions regarding our regulatory status or HIPAA compliance statement:

Compliance Officer
Patient Privacy Index
Email: compliance@patientprivacyindex.org
Address: [Registered Agent Address]