HIPAA Compliance

Last updated: February 12, 2026

Our Commitment to Protecting Your Health Data

At Zeph, the security and privacy of your health information is our highest priority. As a platform that collects and processes respiratory health data, we are fully committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

What is HIPAA?

HIPAA is a federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.

How Zeph Complies with HIPAA

Administrative Safeguards

  • Designated Privacy and Security Officers oversee all data protection practices
  • Regular employee training on HIPAA compliance and data handling
  • Comprehensive risk assessments conducted annually
  • Documented policies and procedures for handling Protected Health Information (PHI)

Technical Safeguards

  • End-to-end encryption (AES-256) for all health data in transit and at rest
  • Role-based access controls ensuring only authorized personnel can access PHI
  • Multi-factor authentication for all system access
  • Automated audit logging of all PHI access and modifications
  • Secure Bluetooth Low Energy (BLE) data transmission between device and app

Physical Safeguards

  • Cloud infrastructure hosted on HIPAA-compliant data centers (SOC 2 Type II certified)
  • Physical access controls at all data processing facilities
  • Secure disposal of hardware and media containing PHI

Business Associate Agreements

We maintain Business Associate Agreements (BAAs) with all third-party service providers who may have access to PHI, ensuring they meet the same rigorous standards we hold ourselves to.

Your Rights Under HIPAA

As a Zeph user, you have the right to:

  • Access and obtain a copy of your health data
  • Request corrections to your health records
  • Know who has accessed your health information
  • Request restrictions on how your data is used or shared
  • Receive notification in the event of a data breach

Breach Notification

In the unlikely event of a data breach involving your Protected Health Information, we will notify affected individuals, the Department of Health and Human Services, and (if applicable) the media in accordance with HIPAA Breach Notification Rules.

Data Retention and Disposal

We retain Protected Health Information for the duration of your active account plus a minimum of 6 years after the last date of service, in compliance with federal and state healthcare record retention requirements. After the retention period expires, PHI is securely destroyed using NIST-approved methods for data sanitization.

You may request earlier deletion of your data, subject to applicable legal and regulatory retention obligations. We will inform you if any retention requirements prevent immediate deletion.

Minimum Necessary Standard

Zeph adheres to the HIPAA minimum necessary standard, ensuring that access to PHI is limited to the minimum amount needed to accomplish the intended purpose. Our systems enforce role-based access controls that restrict data visibility based on job function and clinical need.

Contact Our Privacy Team

If you have questions about our HIPAA compliance practices or wish to exercise your rights, please contact our Privacy Officer at privacy@zeph.com or write to us at Zeph, Inc., San Francisco, CA.