Privacy Policy

At HealixAI, operated by Hamilton Digital LLC, protecting your personal health information is our highest priority. This policy explicitly outlines how we securely request, read, and utilize your EHR data to power our AI engine.

Effective Date: April 1, 2026  |  Last Updated: April 11, 2026

1. Health Data & FHIR Compliance

HealixAI utilizes the industry standard SMART on FHIR (Fast Healthcare Interoperability Resources) framework to securely connect to your electronic health records. We explicitly request read-only access to the following clinical data scopes:

  • Patient Profile & Demographics (Patient.read)
  • Medications & Prescriptions (MedicationRequest.read)
  • Clinical Conditions (Condition.read)
  • Laboratory & Vitals (Observation.read)
  • Immunizations (Immunization.read)
  • Allergies & Intolerances (AllergyIntolerance.read)
  • Surgical Procedures (Procedure.read)
  • Diagnostic Reports (DiagnosticReport.read)
  • Insurance Coverage (Coverage.read)
  • Care Plans & Care Teams (CarePlan.read, CareTeam.read)

We never request write access.HealixAI cannot modify, delete, or create records in your provider's electronic health record system. All FHIR API requests are strictly read-only operations.

2. How Your Data is Used

Your health data is exclusively retrieved to populate your personalized health dashboard and to fuel our conversational AI agent. We do not sell, rent, or lease your protected health information (PHI) to third-party data brokers, marketers, or advertisers under any circumstances. Data is only utilized to provide clinical continuity and predictive wellness insights directly to you.

Specifically, your data is used to:

  • Display your clinical baseline (medications, conditions, allergies) on your dashboard
  • Power AI-driven health insights and evidence-based citations from peer-reviewed medical literature
  • Generate personalized wellness recommendations based on your health profile
  • Identify potential drug interactions and clinical safety alerts

3. Third-Party Service Providers (Subprocessors)

To deliver our service, HealixAI relies on the following infrastructure providers who may process or store your data under strict contractual obligations:

Google Cloud Platform (Firebase)

Authentication, database, and session management

Vercel Inc.

Application hosting and edge delivery

Google Cloud Platform (BigQuery)

Anonymized analytics and clinical intelligence

OpenAI / Google DeepMind

AI model inference for health insights (no PHI transmitted)

All subprocessors are contractually bound to handle data in accordance with HIPAA standards and applicable data protection regulations.

4. Data Retention and Deletion

You have the absolute right to revoke our access to your Electronic Health Records (EHR) at any time directly through your provider portal (e.g., Epic MyChart or Cerner Patient Portal). If you close your HealixAI account, all structured FHIR data synchronized from your medical providers will be cryptographically purged from our operational databases within 30 calendar days.

To request immediate data deletion, contact privacy@healixai.com. We will confirm deletion within 5 business days.

5. Data Breach Notification

In the unlikely event of a data breach affecting your protected health information, HealixAI will:

  • Notify affected users within 72 hours of discovering the breach
  • Report the incident to the U.S. Department of Health and Human Services (HHS) as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414)
  • Provide a detailed description of the data involved, the steps taken to mitigate harm, and recommended protective actions
  • Offer credit monitoring services if personally identifiable information was compromised

6. Cookies & Local Storage

HealixAI uses essential cookies and browser local storage strictly for session management, authentication state, and onboarding progress. We do not use tracking cookies, advertising pixels, or third-party analytics cookies. No health data is ever stored in cookies or browser local storage.

7. HIPAA & Security Standards

HealixAI operates under strict adherence to the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules. Our security measures include:

  • All clinical API requests executed over TLS 1.3 encrypted connections
  • OAuth 2.0 / SMART on FHIR authorization with scoped, short-lived access tokens
  • Data encrypted at rest using AES-256 encryption in Google Cloud infrastructure
  • Role-based access controls (RBAC) limiting internal access to PHI
  • Annual security risk assessments and vulnerability scanning

8. State Privacy Law Compliance

In addition to HIPAA, HealixAI complies with applicable state privacy regulations including:

  • California (CCPA/CPRA) — California residents may request access to, deletion of, or opt-out of the sale of their personal information. Note: HealixAI does not sell personal information.
  • Washington (My Health My Data Act) — We provide explicit consent mechanisms before collecting health data from Washington state residents.
  • Other states — We comply with all applicable state health information privacy laws.

9. Contact Information

Hamilton Digital LLC (dba HealixAI)

Data Protection Officer: Ricardo Hamilton, MD

Email: privacy@healixai.com

Website: app.healixai.com

Questions regarding data security?