HIPAA Notice

Last updated: February 3, 2026

This notice describes how Ortho Board Prep handles Protected Health Information (PHI) and our commitment to HIPAA compliance.

1. Our Commitment

Ortho Board Prep is designed with healthcare data security in mind. We implement technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of health information processed through our platform.

Infrastructure Compliance

Our infrastructure is built on Google Cloud Platform with an executed Business Associate Agreement (BAA). Google Cloud maintains HIPAA compliance for covered services including Firebase Authentication, Cloud Firestore, Cloud Storage, and Cloud Functions.

2. Your Responsibilities

As a healthcare professional using Ortho Board Prep for exam preparation, you bear important responsibilities:

Authorization

  • Ensure you have proper authorization before uploading any patient information
  • Follow your institution's policies regarding use of patient data for education
  • Obtain necessary consents if required by your organization or state law

De-identification

  • Use our PHI detection and redaction tools before sharing or exporting documents
  • Verify that all 18 HIPAA identifiers are removed or redacted
  • Remember that AI detection is an aid — you must verify completeness

Access Control

  • Do not share your account credentials
  • Log out when using shared computers
  • Report any suspected unauthorized access immediately

3. Technical Safeguards

We implement the following security measures:

SafeguardImplementation
Encryption at RestAES-256 encryption for all stored data
Encryption in TransitTLS 1.2+ for all data transmission
Access ControlsFirebase Authentication with secure session management
Audit LoggingAI usage and access logging for accountability
Automatic TimeoutSession expiration after period of inactivity
Secure DeletionPermanent deletion upon user request

4. PHI Handling

Document Processing

When you upload documents containing PHI:

  • Documents are encrypted immediately upon upload
  • AI processing occurs on HIPAA-compliant Google Cloud infrastructure
  • OCR text and AI-generated content are stored in your private Firestore documents
  • No data is shared with other users or used for training without anonymization

PHI Detection Tools

We provide AI-powered tools to help identify PHI:

  • Vision-based detection scans documents for names, dates, MRNs, and other identifiers
  • Bounding boxes highlight detected PHI for your review
  • Redaction burns black rectangles into the document permanently
  • Original documents are preserved separately until you choose to delete them

Important Limitation

AI-based PHI detection is not 100% accurate. You MUST review and verify all redactions before sharing documents. We are not liable for PHI that our tools fail to detect.

The 18 HIPAA Identifiers

PHI includes any of these identifiers when associated with health information:

  1. Names
  2. Geographic data smaller than state
  3. Dates (except year) related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers
  17. Full-face photographs
  18. Any other unique identifying number or code

5. Breach Notification

In the event of a confirmed breach involving your PHI, we will:

  • Notify you within 72 hours of confirmation
  • Provide details about what information was affected
  • Describe the steps we are taking to address the breach
  • Offer guidance on steps you can take to protect yourself

6. Limitations

Please understand the following limitations:

  • Not an EHR: Ortho Board Prep is an exam preparation tool, not an Electronic Health Record system
  • Not a Covered Entity: We operate as a service provider to healthcare professionals, not as a covered entity ourselves
  • User Responsibility:You are responsible for compliance with your own institution's policies and applicable regulations
  • AI Limitations: Our AI tools assist with PHI detection but cannot guarantee complete identification

7. Institutional Use

For institutional deployments or if you require a formal Business Associate Agreement (BAA) with Ortho Board Prep directly, please contact us to discuss your requirements.

8. Contact Us

For HIPAA-related inquiries, security concerns, or to report a potential breach:

Email: orthoboardprep@gmail.com

For urgent security matters:Include "URGENT" in your subject line for priority response.