HIPAA at PinkSteady

PinkSteady executes a Business Associate Agreement (BAA) with every participating care facility before any resident data is shared. Our BAA covers:

• Permitted uses and disclosures of Protected Health Information (PHI)
• Safeguards we maintain to protect PHI
• Breach notification obligations
• Subcontractor (subprocessor) requirements
• Return or destruction of PHI on termination

A copy of our BAA template is available at info@pinksteady.com.

• In transit: TLS 1.2 or higher on every API endpoint. HTTP requests are rejected. iOS App Transport Security (ATS) prevents the app from making unencrypted connections.
• At rest (cloud): AES-256 in Azure Cosmos DB, with Microsoft-managed keys.
• At rest (device): AES-256 via iOS Data Protection (hardware encryption tied to device passcode).
• Credentials: Apple Keychain Services (hardware-backed on supported devices).

Access to resident data is granted on a least-privilege basis and scoped by role:

• Residents authenticate with Sign in with Apple and can only access their own data.
• Facility staff authenticate via Microsoft Entra ID and can only access residents who have explicitly linked their account to the facility.
• PinkSteady personnel with production access must use multi-factor authentication. Access is revoked within 24 hours of role change or departure.
• Facility links are verified on every API request and expire after one year unless renewed.

Every API call that reads or writes resident data is logged with the caller's identity, the action performed, a timestamp, and the request outcome.

• Application audit logs are retained for six years in compliance with HIPAA.
• Audit logs are append-only — application code cannot delete or modify entries.
• Azure diagnostic logs (Function App invocations, Cosmos DB requests, Entra ID sign-ins) are sent to a Log Analytics Workspace with archival retention.
• Residents can see what their facility can and cannot access in our Privacy Policy.

• All personnel with access to PHI complete HIPAA security awareness training before accessing production systems and annually thereafter.
• Training covers PHI handling, password security, phishing awareness, incident reporting, and device security.
• Developer workstations require full-disk encryption and a screen lock.
• Production PHI is never copied to developer workstations — development uses synthetic data.

PinkSteady relies on a small number of trusted subprocessors. The following services handle PHI on our behalf and are covered by signed BAAs:

• Microsoft Azure (Cosmos DB): Database storage for session scores, timestamps, user IDs, display names, audit logs, and consent links.
• Microsoft Azure (Functions): API compute for all requests containing PHI.
• Microsoft Azure (Log Analytics): Diagnostic logging (incidental identifiers only).

BAA coverage is provided through the Microsoft Online Services Data Protection Addendum. All Azure resources serving PinkSteady are hosted in the United States (Central US region).

Sign in with Apple, the App Store, Apple Push Notifications, and Microsoft Entra ID (for staff sign-in) are used for authentication and delivery only and do not receive PHI. Facilities with active BAAs are notified before any new PHI-handling subprocessor is added.

PinkSteady follows the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). If a breach involving resident PHI is confirmed:

• Containment actions are taken within 48 hours of detection.
• A four-factor risk assessment is completed within 10 days.
• Affected facilities are notified within 30 days (HIPAA permits up to 60).
• The U.S. Department of Health and Human Services is notified per HIPAA timelines.
• A post-incident review is completed within 90 days, with corrective actions documented.

Facilities are then responsible for notifying affected residents per their own HIPAA obligations. Our full Breach Notification Plan is available to facility partners on request.

Residents retain control over their data at all times. From within the PinkSteady app they can:

• Generate a temporary consent code to link a facility (Settings → Advanced Settings → Research Participation)
• Stop sharing with their facility at any time
• Delete their account and have all server-side data permanently removed

See the Privacy Policy for the complete description of what facilities can and cannot see.

PinkSteady is a Business Associate, not a Covered Entity. This page is a summary of our HIPAA-related safeguards for facility decision-makers — it is not a Notice of Privacy Practices, which is published separately by each Covered Entity (typically the care facility itself).

PinkSteady remains a wellness product and does not diagnose, treat, cure, or prevent any disease.

To report a security incident or potential breach involving PinkSteady:

• Email: security@pinksteady.com
• Backup: support@pinksteady.com