HIPAA Notice
Last updated: February 3, 2026
This notice describes how Ortho Board Prep handles Protected Health Information (PHI) and our commitment to HIPAA compliance.
1. Our Commitment
Ortho Board Prep is designed with healthcare data security in mind. We implement technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of health information processed through our platform.
Infrastructure Compliance
Our infrastructure is built on Google Cloud Platform with an executed Business Associate Agreement (BAA). Google Cloud maintains HIPAA compliance for covered services including Firebase Authentication, Cloud Firestore, Cloud Storage, and Cloud Functions.
2. Your Responsibilities
As a healthcare professional using Ortho Board Prep for exam preparation, you bear important responsibilities:
Authorization
- Ensure you have proper authorization before uploading any patient information
- Follow your institution's policies regarding use of patient data for education
- Obtain necessary consents if required by your organization or state law
De-identification
- Use our PHI detection and redaction tools before sharing or exporting documents
- Verify that all 18 HIPAA identifiers are removed or redacted
- Remember that AI detection is an aid — you must verify completeness
Access Control
- Do not share your account credentials
- Log out when using shared computers
- Report any suspected unauthorized access immediately
3. Technical Safeguards
We implement the following security measures:
| Safeguard | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.2+ for all data transmission |
| Access Controls | Firebase Authentication with secure session management |
| Audit Logging | AI usage and access logging for accountability |
| Automatic Timeout | Session expiration after period of inactivity |
| Secure Deletion | Permanent deletion upon user request |
4. PHI Handling
Document Processing
When you upload documents containing PHI:
- Documents are encrypted immediately upon upload
- AI processing occurs on HIPAA-compliant Google Cloud infrastructure
- OCR text and AI-generated content are stored in your private Firestore documents
- No data is shared with other users or used for training without anonymization
PHI Detection Tools
We provide AI-powered tools to help identify PHI:
- Vision-based detection scans documents for names, dates, MRNs, and other identifiers
- Bounding boxes highlight detected PHI for your review
- Redaction burns black rectangles into the document permanently
- Original documents are preserved separately until you choose to delete them
Important Limitation
AI-based PHI detection is not 100% accurate. You MUST review and verify all redactions before sharing documents. We are not liable for PHI that our tools fail to detect.
The 18 HIPAA Identifiers
PHI includes any of these identifiers when associated with health information:
- Names
- Geographic data smaller than state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
5. Breach Notification
In the event of a confirmed breach involving your PHI, we will:
- Notify you within 72 hours of confirmation
- Provide details about what information was affected
- Describe the steps we are taking to address the breach
- Offer guidance on steps you can take to protect yourself
6. Limitations
Please understand the following limitations:
- Not an EHR: Ortho Board Prep is an exam preparation tool, not an Electronic Health Record system
- Not a Covered Entity: We operate as a service provider to healthcare professionals, not as a covered entity ourselves
- User Responsibility:You are responsible for compliance with your own institution's policies and applicable regulations
- AI Limitations: Our AI tools assist with PHI detection but cannot guarantee complete identification
7. Institutional Use
For institutional deployments or if you require a formal Business Associate Agreement (BAA) with Ortho Board Prep directly, please contact us to discuss your requirements.
8. Contact Us
For HIPAA-related inquiries, security concerns, or to report a potential breach:
Email: orthoboardprep@gmail.com
For urgent security matters:Include "URGENT" in your subject line for priority response.