Legal · Compliance

HIPAA Compliance Statement

Este documento legal se mantiene en inglés como versión oficial.

Effective date: May 17, 2026  ·  Last updated: May 17, 2026

Bariatric AI ("Bariatric AI") is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable implementing regulations (collectively, "HIPAA").

Business Associate role. When a HIPAA-regulated covered entity (such as a clinic, hospital, or qualified provider) uses the Services to process PHI, Bariatric AI acts as a Business Associate and operates under an executed Business Associate Agreement ("BAA").

1. Scope

This statement applies to PHI processed by Bariatric AI on behalf of U.S. covered entities. It does not, by itself, create a BAA. A signed BAA is required before any PHI is processed by the Services.

2. Administrative Safeguards

3. Physical Safeguards

4. Technical Safeguards

Encryption in transit

TLS 1.2+ for all client-server communication.

Encryption at rest

AES-256 for stored PHI, including database and backups.

Access control

Role-based access, principle of least privilege, MFA for administrative access.

Audit logging

Tamper-evident logs of access to PHI, retained per policy.

Integrity controls

Mechanisms to detect unauthorized alteration of PHI.

Automatic logoff

Session timeouts for inactivity on clinical interfaces.

5. AI Models & PHI

Our AI agents process PHI only as necessary to deliver the Services to the covered entity and its authorized users. We:

6. Breach Notification

If Bariatric AI discovers a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and no later than [60] days after discovery, in accordance with 45 C.F.R. § 164.410 and the terms of the applicable BAA.

7. Patient Rights

HIPAA grants patients rights over their PHI, including the right to access, request amendment, obtain an accounting of disclosures, and request restrictions. To exercise these rights, patients should contact their treating clinic, which acts as the covered entity. Bariatric AI supports clinics in responding to such requests.

8. Subcontractors

Bariatric AI executes BAAs with subcontractors that may create, receive, maintain, or transmit PHI on our behalf. A current list of subprocessors that may handle PHI is available upon request at legal@bariatricai.io.

9. Workforce Training

All workforce members complete HIPAA Privacy and Security training upon hire and at least annually thereafter. Additional role-specific training is provided to engineers, support, and clinical-operations staff with access to PHI.

10. Incident Response

We maintain a documented incident-response plan covering detection, containment, eradication, recovery, post-incident review, and notification obligations. Tabletop exercises are performed at least annually.

11. Limitations

This statement describes our HIPAA-related practices in general terms and is not a contractual commitment. Specific obligations are governed by the executed BAA between Bariatric AI and the covered entity.

12. Requesting a BAA

To request a Business Associate Agreement or learn more about our compliance program, contact:

Bariatric AI
Attn: HIPAA Compliance
Buenos Aires, Argentina
Email: legal@bariatricai.io


This document is a wireframe placeholder. Final wording, certifications, and attestations must be reviewed and approved by qualified legal counsel and your security / compliance team before publication.