Protecting your health information isn't just a legal obligation — it's fundamental to the trust our patients and providers place in us.
Dermlink is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and complies with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. This page describes how we protect Protected Health Information (PHI) and your rights under HIPAA.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. This includes medical images, consultation messages, clinical notes, and personal information.
Role-based access control (RBAC) ensures that users only access data necessary for their function. Multi-factor authentication is required for all provider and administrative accounts.
Every access to PHI is logged with timestamps, user identity, and action taken. Logs are retained for 7 years and are regularly reviewed for anomalous activity.
Our infrastructure is hosted on SOC 2 Type II certified cloud providers with network segmentation, intrusion detection systems, and automated vulnerability scanning.
Dermlink maintains a designated Privacy Officer responsible for the development and implementation of our HIPAA compliance program, staff training, and incident response.
All employees and contractors who may access PHI complete HIPAA training upon hire and annually thereafter. Training covers the Privacy Rule, Security Rule, and Breach Notification Rule.
We maintain current BAAs with all third-party service providers who create, receive, maintain, or transmit PHI on our behalf. This includes cloud infrastructure, payment processing, and pharmacy partners.
We conduct comprehensive security risk assessments annually and after any significant change to our systems. Identified risks are documented, prioritized, and remediated on a defined timeline.
Our cloud infrastructure providers maintain SOC 2 Type II certified data centers with physical access controls, surveillance, and environmental protections. We do not maintain on-premises servers.
All employee devices that access PHI are encrypted, require strong authentication, and are managed through a mobile device management (MDM) solution with remote wipe capability.
You may request a copy of your PHI maintained by Dermlink. We will provide the information within 30 days of your request, in the format you prefer (electronic or paper).
If you believe your PHI is inaccurate or incomplete, you may request an amendment. We will respond within 60 days and provide a reason if the request is denied.
You may request a list of certain disclosures of your PHI made by Dermlink in the past 6 years, excluding disclosures for treatment, payment, and healthcare operations.
You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. While we are not required to agree to all restrictions, we will honor reasonable requests.
You may request that we communicate with you about health matters through a specific method or at a specific location (e.g., only by email, only at a certain phone number).
You have the right to receive this notice of our privacy practices and HIPAA compliance measures. A current version is always available on our website.
Dermlink maintains Business Associate Agreements (BAAs) with all third-party service providers who handle PHI on our behalf. Our BAA program includes regular vendor assessments, security questionnaires, and compliance verification.
If you are a healthcare organization or provider interested in integrating with Dermlink, we are prepared to execute a BAA to ensure the compliant exchange of PHI. Contact our compliance team at compliance@dermlink.ai to request a BAA.
In the unlikely event of a breach of unsecured PHI, Dermlink will comply with the HIPAA Breach Notification Rule. Affected individuals will be notified within 60 days of discovery. Breaches affecting 500 or more individuals will be reported to the Department of Health and Human Services and prominent media outlets.
Our incident response team is on call 24/7 to investigate and contain potential security incidents. We conduct tabletop exercises quarterly to ensure preparedness.