HIPAA Compliance
Last updated: July 4, 2026
Our Commitment
AI Lab Result is built with health data privacy at its core. For our Professional tier users who manage patient health information, we operate in accordance with the Health Insurance Portability and Accountability Act (HIPAA) requirements, including offering Business Associate Agreements (BAAs) upon request.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for the protection of sensitive patient health information, known as Protected Health Information (PHI). HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates who handle PHI.
When healthcare professionals use AI Lab Result to manage patient records, AI Lab Result acts as a Business Associate and must implement appropriate safeguards to protect PHI.
Who This Applies To
Personal Users
If you use AI Lab Result solely to track your own blood tests, HIPAA does not apply — your data is self-managed and not PHI under the statute. We still protect it with the same technical standards.
Professional Users
If you are a healthcare provider using AI Lab Result to manage patient records, our Professional plan includes HIPAA-compliant infrastructure and we will execute a Business Associate Agreement (BAA) with you.
Technical Safeguards
Encryption at Rest & in Transit
All health data is encrypted using AES-256 at rest. All data in transit uses TLS 1.3. PDF uploads are stored in private, access-controlled storage buckets.
Row-Level Security (RLS)
PostgreSQL Row-Level Security ensures every database query is scoped to the authenticated user. Professionals can only access their own patients' records — never others'.
Audit Logging
All INSERT, UPDATE, and DELETE operations on patient records, scanned documents, and health insights are logged with timestamp, user ID, and changed data for compliance auditing.
Access Controls
Role-based access control (RBAC) enforced at the database layer. Session tokens are short-lived and automatically rotated. MFA is available via Supabase Auth.
Right to Erasure
Account deletion removes all associated records, storage files, and derived data within 30 days. Cascading deletes are enforced at the database level.
Infrastructure
Hosted on Supabase (backed by AWS), which maintains SOC 2 Type II certification. Data centers are located in the United States.
Administrative Safeguards
- ✓Security Officer — A designated security officer is responsible for developing and implementing security policies and procedures.
- ✓Workforce Training — All personnel with access to PHI receive HIPAA compliance training.
- ✓Incident Response — A documented breach notification procedure is in place. Affected parties are notified within 60 days of discovery as required by the Breach Notification Rule.
- ✓Risk Analysis — Regular risk assessments are conducted to identify and mitigate potential vulnerabilities to PHI.
- ✓Minimum Necessary Standard — Access to PHI is limited to the minimum necessary to perform job functions.
Business Associate Agreement (BAA)
Healthcare providers and other HIPAA covered entities who use AI Lab Result's Professional plan to manage patient data may request a Business Associate Agreement (BAA). The BAA outlines our obligations as a business associate and the permissible uses and disclosures of PHI.
Request a BAA
To request a Business Associate Agreement, please contact our compliance team with your organization name, NPI number (if applicable), and contact information.
Contact Compliance Team →Subprocessors
The following third-party services may process health data on our behalf. Each has been evaluated for HIPAA compliance and appropriate agreements are in place:
| Provider | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, storage, authentication | United States |
| Google Gemini | AI analysis of blood test images (no PHI stored) | United States |
| Resend | Transactional email delivery | United States |
| Stripe | Payment processing (no health data) | United States |
| Vercel | Application hosting and edge compute | United States |
* AI analysis is performed on extracted marker values only — original PDF images are not retained by the AI provider.
Limitations & Disclaimers
AI Lab Result is an analytical and organizational tool — it is not a covered entity, clearinghouse, or healthcare provider. Personal-tier users managing only their own health data are not subject to HIPAA. The AI-generated insights are for informational purposes only and do not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider for medical decisions.
Questions?
For HIPAA-related inquiries, BAA requests, or to report a potential privacy incident, contact our compliance team:
Email: compliance@ailabresult.com
General support: Contact page