HIPAA Compliance

Last updated: April 14, 2026

The Health Insurance Portability and Accountability Act (HIPAA) establishes standards for protecting sensitive patient health information in the United States. This page describes TinyBridge's relationship to HIPAA and the measures we take to protect health-adjacent information.

1. HIPAA Applicability

Important: TinyBridge Choice Boards is a communication aid tool, not a medical device, electronic health record (EHR), or healthcare service. The Service itself is not classified as a HIPAA "covered entity" or "business associate" under standard use.

However, we recognize that TinyBridge may be used in healthcare-adjacent contexts:

Speech-language pathologists (SLPs) may use TinyBridge as part of AAC (Augmentative and Alternative Communication) therapy
Healthcare facilities (hospitals, clinics, care homes) may use it to communicate with patients
Schools and educational institutions may use it in special education settings
Caregivers may use it for individuals with medical conditions affecting communication

When TinyBridge is used by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) and the data processed could constitute Protected Health Information (PHI), additional considerations apply.

2. What Constitutes PHI in TinyBridge?

In most typical use cases, TinyBridge data does not constitute PHI because:

Choice boards contain generic items (food, activities, objects) — not medical information
The app does not collect or store diagnoses, treatment plans, or medical records
Photo analysis identifies objects in images — not medical conditions

However, PHI could be created if a covered entity uses TinyBridge in a way that links identifiable health information to a specific individual — for example, creating boards specifically for therapy sessions tied to a patient record.

3. Our Security Measures

Regardless of HIPAA applicability, we implement security measures that align with HIPAA's technical safeguard requirements:

3.1 Administrative Safeguards

Security policies and procedures for data handling
Access controls limited to authorized personnel
Regular review of security practices
Incident response procedures for data breaches

3.2 Technical Safeguards

HIPAA Requirement	TinyBridge Implementation
Access Control	Google OAuth authentication; per-user data isolation; all API endpoints enforce user-scoped access
Audit Controls	Comprehensive interaction history with timestamps, user IDs, and session IDs
Integrity Controls	Data validation on all API endpoints; checksums for data synchronization
Transmission Security	TLS/HTTPS encryption for all data in transit; secure cookie handling
Encryption at Rest	Azure Cosmos DB and Blob Storage encryption at rest using Microsoft-managed keys
Unique User Identification	Each user has a unique Google-linked user ID; no shared accounts
Automatic Logoff	Session-based authentication with configurable session management

3.3 Physical Safeguards

All data is hosted on Microsoft Azure infrastructure, which maintains SOC 2 Type II, HIPAA, and HITRUST certifications
Physical security of data centers is managed by Microsoft in accordance with Azure compliance standards

4. Business Associate Agreements (BAA)

If your organization is a HIPAA-covered entity and you determine that your use of TinyBridge involves PHI, you may need a Business Associate Agreement (BAA) with us.

To request a BAA: Contact us at info@tinybridge.ai with details about your organization and intended use of TinyBridge. We will work with you to assess whether a BAA is appropriate and, if so, execute one before you begin processing PHI through the Service.

Sub-Processor BAAs

Our key infrastructure providers offer HIPAA-compliant configurations:

Microsoft Azure: Offers BAAs and is HIPAA/HITRUST compliant. Azure Cosmos DB and Blob Storage are covered services under Microsoft's BAA.
OpenAI: As of this writing, OpenAI's API has a zero-data-retention policy for API usage. Contact us for the latest status of HIPAA coverage for AI processing.
Google (Gemini API): Google Cloud offers BAAs for eligible services. Contact us for details on coverage for image generation processing.

5. Recommendations for Healthcare Users

If you are using TinyBridge in a healthcare setting, we recommend the following:

For Healthcare Providers and SLPs:

Minimize PHI: Use generic board names and avoid including patient-identifying information in board titles or descriptions
Use dedicated accounts: Create separate TinyBridge accounts for different patients/clients rather than mixing data
Avoid photographing PHI: Do not capture photos that contain medical records, patient charts, or other documents with PHI
Obtain consent: Get appropriate consent or authorization before creating boards that may be linked to a patient's treatment
Request a BAA: Contact us before using TinyBridge in a way that involves PHI

For Organizations:

Conduct your own risk assessment of TinyBridge usage within your organization
Train staff on appropriate use of the app in clinical settings
Include TinyBridge in your organization's HIPAA compliance documentation
Maintain records of how the app is used with patients

6. Data Breach Response

In the event of a data breach involving data that may constitute PHI:

We will notify affected covered entities within 60 days of discovering the breach, as required by the HIPAA Breach Notification Rule
We will provide details about the nature of the breach, the data involved, and remediation steps
We will cooperate with covered entities in meeting their breach notification obligations to individuals and the Department of Health and Human Services (HHS)

7. Minimum Necessary Standard

We adhere to the HIPAA "minimum necessary" principle:

We collect only the data necessary to provide the Service
Access to user data is restricted to authorized systems and personnel
Photos are processed by AI services in real-time — they are not retained by AI providers for training
We do not use health-related data for marketing or secondary purposes

8. Patient Rights

If TinyBridge data constitutes PHI under HIPAA, patients (or their authorized representatives) have the right to:

Access their data
Request amendments to their data
Receive an accounting of disclosures
Request restrictions on certain uses and disclosures
Request confidential communications

To exercise these rights, the covered entity should contact us at info@tinybridge.ai, and we will assist in fulfilling the request.

9. Disclaimer

This page is provided for informational purposes and does not constitute legal advice. Organizations subject to HIPAA should consult with their own legal and compliance professionals to assess how HIPAA applies to their use of TinyBridge Choice Boards.

10. Contact Us

For HIPAA-related questions, BAA requests, or to report a potential security concern:

Email: info@tinybridge.ai
Subject line: "HIPAA Inquiry" for prioritized handling