HomeHIPAA notice
LegalHIPAA Notice of Privacy Practices
Last reviewed June 18, 2026 · Blood Test Life Inc
Plain-English summary: blood-test.life is a direct-to-consumer product, so most individual users are not \"covered entities\" under HIPAA. However, we apply HIPAA-aligned standards to all users uniformly, and we sign Business Associate Agreements (BAAs) on request when partnering with healthcare providers or covered entities.
Applicability
HIPAA (the US Health Insurance Portability and Accountability Act) governs how \"covered entities\" — healthcare providers, health plans, and clearinghouses — handle Protected Health Information (PHI). When you upload your own lab report to blood-test.life as an individual consumer, you are not generally a covered entity, and the data is not strictly PHI under HIPAA.
However, we treat the data you upload as if it were PHI:
- Encrypted in transit (TLS 1.3) and at rest (AES-256-GCM).
- Processed in encrypted memory; original file deleted within minutes of delivery (unless trend tracking is enabled).
- Access restricted to least-privilege internal roles, with logging and quarterly review.
- Never used to train AI models.
- Never sold to third parties.
How we handle PHI when we are a Business Associate
If you are a covered entity (clinic, hospital, telehealth provider) using blood-test.life on behalf of your patients, we will sign a Business Associate Agreement (BAA) with you before processing any PHI. Under the BAA we will:
- Use PHI only for the purposes specified in the BAA.
- Apply HIPAA Security Rule safeguards (administrative, physical, technical).
- Report any security incident within HIPAA timelines.
- Provide individual rights of access, amendment, and accounting of disclosures as required.
- Return or destroy PHI on termination.
To sign a BAA, email legal@blood-test.life with your organization's name and primary contact.
Your rights as an individual
Even as a consumer, you have the following rights with respect to data you upload to blood-test.life:
- Access: Request a copy of the data we hold on you.
- Amendment: Request correction of inaccurate data.
- Deletion: Request deletion at any time.
- Restriction: Restrict certain uses of your data (subject to limits where we must process for service delivery).
- Disclosure accounting: Request an accounting of any disclosures we made.
Email privacy@blood-test.life to exercise any of these rights. We aim to respond within 30 days.
Security incident response
In the unlikely event of a security incident affecting PHI, we will:
- Investigate within 24 hours of detection.
- Notify affected covered entities within HIPAA-required timelines.
- Notify affected individuals where required by law and where direct contact is feasible.
- Publish a public post-mortem within 30 days where appropriate.
Complaints
If you believe your rights have been violated:
- Email us at privacy@blood-test.life — we will respond within 5 business days.
- You may also file a complaint with the US Department of Health and Human Services Office for Civil Rights.
We will not retaliate against anyone for filing a complaint.
Updates to this notice
We may update this notice from time to time. Material changes will be communicated to active account holders by email at least 30 days before they take effect.
Questions? privacy@blood-test.life