Osteofy

Legal

HIPAA Compliance Overview

This document summarises how Osteofy supports U.S. healthcare customers in meeting their obligations under the Health Insurance Portability and Accountability Act (HIPAA).

Role & Scope

For covered entities and their business associates, Osteofy typically acts as a Business Associate (BA) under HIPAA, processing protected health information (PHI) on your behalf to provide bone mineral density analysis and related services. The precise scope of services and PHI processing is defined in each Business Associate Agreement (BAA).

Protected Health Information We Process

Depending on your configuration and clinical workflow, PHI processed through Osteofy may include:

  • Medical images and associated study metadata (e.g. DICOM headers, accession numbers).
  • Limited demographic details required for analysis (e.g. age, sex, study date).
  • Identifiers needed for matching analyses with your own records, as defined in the BAA.

Safeguards

Osteofy implements administrative, physical, and technical safeguards aligned with HIPAA requirements, including:

  • Encryption of PHI in transit (TLS) and at rest using industry-standard algorithms.
  • Role-based access control, least-privilege principles, and multi-factor authentication where applicable.
  • Audit logging of access to PHI and key system actions for security and compliance review.
  • Vendor risk management and contractual controls for subprocessors that may have access to PHI.

BAAs & Customer Responsibilities

We enter into Business Associate Agreements with eligible U.S. customers to document roles, responsibilities, and permitted uses and disclosures of PHI. While we implement robust safeguards, covered entities and business associates remain responsible for configuring Osteofy appropriately, managing user access, and ensuring that their own policies, notices, and procedures comply with HIPAA and other applicable laws.

Incident Response

We maintain processes for detecting, investigating, and responding to security incidents involving PHI. In the event of a breach of unsecured PHI, we will provide notifications in line with HIPAA Breach Notification Rule requirements and the terms of the applicable BAA, including cooperation with your organisation's own incident response obligations.

This overview is for informational purposes only and does not replace or modify the terms of any Business Associate Agreement or services contract. For detailed documentation or a copy of your executed BAA, please contact your Osteofy account representative.