HIPAA / BAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs how Protected Health Information (PHI) is used, disclosed, and safeguarded. It creates two categories of regulated parties:

• Covered Entities — healthcare providers, health plans, and healthcare clearinghouses that originate or receive PHI in the course of treatment, payment, or operations
• Business Associates — vendors and service providers that handle PHI on behalf of a Covered Entity (or another Business Associate)

When a clinic, hospital, ABA agency, OT/SLP practice, or school health team uses Trellis to coordinate care for the individuals they serve, that organization is a Covered Entity and Trellis is its Business Associate. Trellis enters into a Business Associate Agreement with the organization formalizing the relationship.

When a family uses Trellis directly to coordinate care for their own loved one, the family is not itself a Covered Entity (HIPAA does not regulate individuals managing their own or their child's care). The same technical and operational protections still apply — but the BAA framework is mechanically a Covered-Entity-to-Business-Associate contract and doesn't fit the family-direct case.

When Trellis handles PHI on behalf of a Covered Entity, we commit to:

• Use PHI only as permitted — to provide the coordination service the Covered Entity has contracted for, plus internal operations consistent with HIPAA §164.504(e)(2)(i)(A)
• Not disclose PHI except as permitted by the BAA, required by law, or with the affected individual's authorization
• Implement appropriate safeguards — administrative, physical, and technical — to prevent improper use or disclosure (the practical detail is on the Security page)
• Report breaches within the timelines required by §164.410 (Business Associate breach notification to the Covered Entity)
• Make PHI available to the individual for access (§164.524) and amendment (§164.526), and provide an accounting of disclosures (§164.528) — on request from the Covered Entity
• Bind subcontractors to the same obligations through downstream Business Associate Agreements
• Return or destroy PHI at termination of the BAA when feasible (and where return/destruction is infeasible, extend BAA protections to retained PHI for as long as it's held)
• Provide HHS access to internal practices, books, and records relating to PHI use and disclosure as required by §164.504(e)(2)(ii)(I)

Our standard Business Associate Agreement is reviewed by counsel and is provided to Covered Entities at the time of subscription or on request. The agreement covers:

• Scope of permitted uses and disclosures
• Safeguard requirements aligned with the HIPAA Security Rule (45 CFR §164.302–318)
• Breach notification timelines and procedures
• Subcontractor management — Trellis ensures every downstream service that touches PHI is itself bound by a BAA
• Termination procedures, including PHI handling at termination
• Indemnification and insurance commitments
• Governing law and dispute resolution

Requesting the BAA. If you're a Covered Entity evaluating Trellis for your organization, email hello@trelliscare.app with “BAA Request” in the subject and we'll send the current version. A signature workflow is provided via DocuSign.

Trellis uses a small number of infrastructure providers to deliver the service. Each handles PHI only to the extent required for the service it provides, and each is bound by a Business Associate Agreement (or equivalent contractual protection).

We'll notify Covered Entity customers at least 30 days before adding a new subprocessor that will have access to PHI, giving you the opportunity to object (and, if we can't address the objection, to terminate without penalty).

HIPAA Safe Harbor de-identification (45 CFR §164.514(b)) lists 18 categories of identifiers that, when removed, render data sufficiently de-identified that it is no longer considered PHI. Trellis's 7-layer de-identification pipeline is built around this list:

1. Names
2. All geographic subdivisions smaller than a state (street, city, county, ZIP except first 3 digits where population >20,000)
3. All elements of dates (except year) for dates directly related to the individual — birth date, admission date, discharge date, date of death — and all ages over 89 and elements of dates (including year) indicative of such age
4. Telephone numbers
5. Vehicle identifiers and serial numbers (incl. license plates)
6. Fax numbers
7. Device identifiers and serial numbers
8. Email addresses
9. URLs
10. Social Security numbers
11. IP addresses
12. Medical record numbers
13. Biometric identifiers, including fingerprints and voiceprints
14. Health plan beneficiary numbers
15. Full-face photos and any comparable images
16. Account numbers
17. Certificate or license numbers
18. Any other unique identifying number, characteristic, or code

The pipeline strips these categories from data before AI inference. Where dates are needed for clinical reasoning, we replace them with age-bucket categoricals (e.g., “school-age, <13”) rather than the actual date. The full pipeline implementation is open in discussion with auditors under NDA.

Individuals whose PHI is held in Trellis have rights under the HIPAA Privacy Rule. Trellis supports these rights as follows:

Right of Access (§164.524)

Individuals (or their personal representatives) can view everything Trellis holds about them, organized by record type. This is available in-app for the account owner of the individual's record; family-role members can also view via their dashboard. For requests outside the app (paper copy, alternate format), email hello@trelliscare.app and we'll respond within the 30-day window required by §164.524(b)(2).

Right of Amendment (§164.526)

Most records in Trellis are user-editable directly. For records that aren't (audit-log entries are immutable by design — they're the system of record for who did what when), an amendment request can append context to the record without modifying the original entry, preserving the audit trail. Email hello@trelliscare.app with details.

Right to Accounting of Disclosures (§164.528)

Individuals have the right to an accounting of certain disclosures of their PHI made in the prior six years. Family-role members can view a derived disclosure log in-app showing actor, role, action, resource type, and timestamp. The audit log is retained for the full six-year period required by the rule.

Right to Request Restrictions (§164.522(a))

Trellis's visibility controls (Team / Clinical only / Family only / Author only / Custom) let care team members restrict who sees specific notes. For broader restrictions — limiting which providers see what, restricting disclosures to particular individuals — email hello@trelliscare.app.

Right to Confidential Communications (§164.522(b))

Trellis supports per-user notification preferences (push, email, in-app) and per-user contact information (alternate phone, alternate email). Configurable from Settings → Notifications.

HIPAA's minimum necessary standard (45 CFR §164.502(b)) requires that PHI use, disclosure, or request be limited to the minimum necessary to accomplish the intended purpose. Trellis is built around this:

• Care team members see only individuals they're actively assigned to (per-individual permissions)
• Within an individual's record, per-record visibility limits exposure (clinical notes hidden from non-clinical roles, family-only notes hidden from professional roles, etc.)
• AI inference receives only the minimum data needed for the analysis being requested — and never identifiable data
• Notification emails carry no PHI in body or subject
• Audit-log entries record who and what but never the content (the content lives in the source record)

A breach under HIPAA §164.402 is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.

If we discover or are notified of a security incident affecting Trellis that constitutes a breach, we will:

• Notify the affected Covered Entity (where applicable) without unreasonable delay and no later than 60 days after discovery, per §164.410
• Notify affected individuals within 60 days of discovery per §164.404 (where the breach affects fewer than 500 individuals; immediate notification for breaches affecting 500+ in a state)
• Notify HHS per §164.408 — annual log for breaches <500 individuals; immediate notification for breaches affecting 500+ individuals
• Notify prominent media outlets per §164.406 for breaches affecting 500+ individuals in a state or jurisdiction

Breach notifications include: a brief description of what happened, the types of PHI involved, steps the individual should take to protect themselves, what we're doing to investigate and prevent recurrence, and contact information.

HIPAA Privacy Officer. Sky (Founder, Veridian Synthetics) — currently serves as the designated Privacy Officer responsible for development and implementation of Trellis's privacy policies and procedures.

HIPAA Security Officer. Sky (Founder, Veridian Synthetics) — currently serves as the designated Security Officer responsible for development and implementation of security policies and procedures.

Contact: compliance@trelliscare.app

(As Trellis grows, these roles will be assigned to dedicated personnel and updated on this page.)

If you believe Trellis has violated your HIPAA rights, you have several options:

• Email us at compliance@trelliscare.app with details. We respond within 30 days and take every complaint seriously.
• File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint. OCR investigates complaints alleging HIPAA violations by Covered Entities and Business Associates.

Trellis will not retaliate against you for filing a complaint.