What Is HIPAA and Why Does It Matter?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
HIPAA is relevant to anyone in the healthcare ecosystem — including technology platforms like DEEPdormir.pro that handle, store, or transmit health-related information. Understanding HIPAA helps you know exactly how your information is protected when you use our platform to find and connect with sleep medicine providers.
Privacy Rule
Governs how Protected Health Information (PHI) may be used and disclosed by covered entities and their business associates.
Security Rule
Requires administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic PHI (ePHI).
Breach Notification Rule
Requires covered entities to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
Our Role Under HIPAA
DEEPdormir.pro operates as a healthcare technology platform and directory service. We connect patients with providers — we do not deliver medical care, store medical records, or transmit clinical treatment data.
- We do not create, receive, maintain, or transmit Protected Health Information (PHI) as part of providing our directory services.
- Any health-related context you provide — such as your reason for seeking a sleep specialist — is treated as sensitive and protected under our security framework.
- We voluntarily apply HIPAA Security Rule standards to all data handling practices — not just where legally required.
- Providers listed on our platform who are covered entities under HIPAA remain independently responsible for their own HIPAA compliance in delivering patient care.
How We Handle Health-Related Data
The following table describes what health-adjacent data we may encounter and how we handle it:
| Data Type | When Collected | How It's Protected | Shared With |
|---|---|---|---|
| Reason for Visit | Appointment request form | TLS 1.3 in transit; AES-256 at rest; access-controlled | Selected provider only |
| Insurance Member ID | Insurance verification form | Encrypted storage; not logged in analytics | Billing team only; deleted after verification |
| Review Content | Patient review submission | No PHI accepted in reviews; submissions monitored | Published publicly — no health data permitted |
| Provider Patient Records | Never collected by us | Not applicable | Not applicable |
Our HIPAA-Aligned Safeguards
We implement all three categories of HIPAA Security Rule safeguards:
4.1 Technical Safeguards
- Encryption in Transit: All data between users and our servers uses TLS 1.3 protocol. HTTP connections are automatically redirected to HTTPS.
- Encryption at Rest: Sensitive data fields are encrypted at rest using AES-256 bit encryption.
- Access Controls: Role-based access controls (RBAC) ensure only authorized personnel can access specific data. Principle of least privilege is enforced.
- Audit Logs: All access to health-adjacent data is logged with timestamps, user IDs, and action types. Logs are retained for a minimum of 6 years.
- Automatic Session Timeout: Provider portal sessions automatically expire after 30 minutes of inactivity.
- Multi-Factor Authentication: Provider portal accounts support and encourage MFA for additional access security.
4.2 Administrative Safeguards
- Security Officer: We have designated a Security Officer responsible for overseeing our HIPAA compliance program.
- Risk Analysis: We conduct formal risk assessments at least annually and following any significant system change.
- Workforce Training: All staff who may handle health-adjacent data receive HIPAA awareness training upon hire and annually thereafter.
- Sanction Policy: Employees who violate our privacy and security policies are subject to disciplinary action up to and including termination.
- Contingency Planning: We maintain documented backup and disaster recovery procedures to ensure data availability and integrity.
4.3 Physical Safeguards
- Data Center Security: Our infrastructure is hosted on SOC 2 Type II certified cloud infrastructure with physical access controls, surveillance, and environmental protections.
- Workstation Security: Company-issued devices used to access health-adjacent data must be encrypted and protected with strong passwords.
- Disposal: Electronic media containing sensitive data is wiped using DoD-compliant methods before disposal or repurposing.
Business Associate Agreements
A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity and a business associate — any third party that handles PHI on behalf of the covered entity.
For Providers on Our Platform
If your practice is a HIPAA covered entity and you believe our Platform may function as a business associate in your specific use case, we are prepared to execute a BAA. To request a BAA, contact us at support@deepdormir.pro with the subject line "BAA Request."
Our Vendor BAAs
We require all third-party service providers who may come into contact with health-adjacent data to execute BAAs with us prior to data access. These vendors include:
- Cloud infrastructure and hosting providers
- Email delivery services used for appointment confirmations
- Customer support platforms that may process user inquiries
- Analytics tools that may process user data
We regularly audit vendor compliance and update BAAs to reflect changes in services or regulatory requirements.
Breach Response Protocol
In the event of a security incident that may involve unauthorized access to health-related data, we follow a documented Breach Response Protocol:
1. Detection & Assessment
Immediate investigation to determine scope, nature, and affected data within 24 hours of discovery.
2. Containment
Immediate steps to contain the breach, revoke compromised credentials, and prevent further unauthorized access.
3. Notification
Affected users notified within 72 hours. HHS notified as required. For large breaches, media notification per HIPAA Breach Notification Rule.
To report a suspected security incident, contact us immediately at support@deepdormir.pro or call (516) 548-3028.
Your Rights as a Patient
Under HIPAA and our Privacy Policy, you have the following rights regarding health-related information you share with us through DEEPdormir.pro:
Right to Access
Request access to health-adjacent information you have submitted through our platform.
Right to Deletion
Request deletion of appointment request data and other health-adjacent information submitted through our platform.
Right to Restrict
Request that we restrict sharing of your information beyond what is necessary for service delivery.
Right to Complain
File a complaint with us or directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
Right to Portability
Receive a copy of your submitted data in a machine-readable format for transfer to another service.
Right to Amend
Request corrections to inaccurate health-adjacent information we hold about you.
Provider HIPAA Obligations
Healthcare providers listed on DEEPdormir.pro who are HIPAA covered entities have independent HIPAA obligations that DEEPdormir.pro does not fulfill on your behalf:
- Notice of Privacy Practices: Providers must maintain and distribute their own Notice of Privacy Practices (NPP) to patients. This is separate from DEEPdormir.pro's privacy documentation.
- Patient Communication: Any communication between you and a provider regarding treatment must occur through HIPAA-compliant channels. Do not use DEEPdormir.pro forms to share clinical health information with your provider.
- Review Responses: When responding to patient reviews through the provider portal, providers must not disclose any patient information that could violate HIPAA, even if the patient has disclosed information in their own review.
- Appointment Data: Provider access to appointment request data received through our Platform is subject to their own HIPAA compliance obligations for that data once received.
- Training: Providers are responsible for ensuring their staff is trained on HIPAA requirements for any patient data they receive through our Platform.
Our Staff Training Program
All DEEPdormir.pro employees and contractors who may access health-related data are required to complete:
- HIPAA Awareness Training: Completed within the first week of employment and annually thereafter, covering the Privacy Rule, Security Rule, and Breach Notification Rule.
- Security Awareness Training: Annual training covering phishing awareness, password hygiene, device security, and incident reporting procedures.
- Role-Specific Training: Technical and customer-facing staff receive additional role-specific training relevant to the data they interact with.
- Confidentiality Agreements: All staff sign confidentiality and data handling agreements as a condition of employment.
Contact Us & File a Complaint
If you have HIPAA-related questions, believe your health information has been improperly handled, or wish to file a complaint, please contact us: