HIPAA NOTICE · LAST UPDATED APRIL 26, 2026

Your health information, in plain English.

When you give a Harness Health surface protected health information (PHI), HIPAA applies. Here's what that actually means.

Where HIPAA applies in our stack

Several Harness Health surfaces process PHI: co-op.care (care plans, caregiver notes, family medical records), SurgeonValue (clinical notes, billing codes, prior-auth letters), ComfortCard (HSA/FSA-eligible expense records, advance directives), CareGoals (advance care planning conversations), ClinicalSwipe (case reviews and physician attestations), SolvingHealth (the orchestration layer that touches all of the above).

Some surfaces don't process PHI: chanio (general context graph), Sh-Room (mushroom incubator), SweatSciences (consumer fitness), Fill Forward (general MCP connector).

Who's the covered entity

Currently, our HIPAA coverage runs through the licensed physicians who provide attestation — primarily Josh Emdur DO (50-state licensed, BCH hospitalist since 2008) for the LMN, prior-auth, and care-attestation pipelines. Harness Health LLC operates as a Business Associate to those physicians' practices, under signed Business Associate Agreements.

How your PHI is used

For treatment — to draft clinical artifacts (LMNs, prior-auth letters) that the responsible physician then attests.
For payment — to facilitate claims, HSA/FSA reimbursements, and billing under your physician's NPI.
For operations — to make the service work better. Aggregated, de-identified.

We do not use your PHI for marketing, AI training without consent, or to sell to anyone.

Your rights under HIPAA

Inspect and copy your PHI on request.
Request corrections.
Request a restriction on certain uses or disclosures.
Receive an accounting of disclosures.
Request confidential communications.
File a complaint with us or with the HHS Office for Civil Rights.

Exercise any of these by emailing privacy@harnesshealth.ai.

The hard-intercept commitment

Every clinical write produced by an agent is hard-intercepted by the responsible physician's signature before it leaves the system. There is no autonomous clinical decision in our architecture. This is not a marketing claim; it's a structural property of the harness and is enforceable in code.

Breach notification

If we discover a PHI breach, you'll hear from us within the HIPAA-required window. We don't try to minimize. We'll tell you what was accessed, when, by whom (if known), what we're doing about it, and what you should do.

HIPAA contact: privacy@harnesshealth.ai · General contact: /legal/contact