Privacy Policy

1. Introduction

Omniasis ("we," "our," or "us") is committed to protecting the privacy and security of your personal information, including Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Omniasis Cardiac Rehabilitation Platform.

2. Information We Collect

We collect the following categories of information:

• Personal Information: Name, email address, date of birth, contact information provided during account registration.
• Health Information (PHI): Heart rate, blood pressure, SpO2 (oxygen saturation), ECG data, heart rate variability (HRV), weight, blood glucose levels, exercise session data, symptoms, medications, and Rate of Perceived Exertion (RPE) scores.
• Device Information: Information from connected wearable devices including Apple Watch, Bluetooth blood pressure monitors, pulse oximeters, and smart scales.
• Usage Data: Exercise session duration, form assessment scores, repetition counts, and application usage patterns.
• Technical Data: Device type, operating system, IP address, and browser information for the admin portal.

3. How We Use Your Information

• To provide cardiac rehabilitation monitoring services
• To transmit health data to your authorized healthcare providers
• To generate clinical alerts when vital signs exceed safe thresholds
• To create progress reports for your care team
• To assess exercise form and provide safety feedback
• To improve the quality and safety of our services
• To comply with legal and regulatory requirements

4. HIPAA Compliance

Omniasis complies with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. Our safeguards include:

• Encryption at Rest: All health data is encrypted using AWS Key Management Service (KMS) with automatic key rotation.
• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2 or higher encryption.
• Access Controls: Multi-factor authentication (MFA) is required for all clinical and administrative users. Role-based access controls limit data access to authorized personnel.
• Audit Logging: All access to patient data is logged via AWS CloudTrail for audit and compliance purposes. Audit logs are retained for 7 years.
• Business Associate Agreements: We maintain Business Associate Agreements (BAAs) with all third-party service providers who may access PHI, including Amazon Web Services.
• Data Isolation: Patient data is logically separated by hospital and provider to prevent unauthorized cross-access.

5. Data Sharing and Disclosure

We may share your information in the following circumstances:

• Healthcare Providers: Your health data is shared with the healthcare providers and hospitals authorized to manage your cardiac rehabilitation.
• Emergency Situations: If our system detects a critical health event, we may notify emergency contacts and healthcare providers.
• Legal Requirements: We may disclose information when required by law, court order, or regulatory authority.
• Business Associates: Service providers who assist us in operating our platform, subject to BAAs and HIPAA requirements.

We do not sell, rent, or trade your personal information or health data to third parties for marketing or advertising purposes.

6. Data Retention

We retain health data for the duration required by applicable law and clinical standards, typically a minimum of 6 years from the date of last treatment. Audit logs are retained for 7 years. You may request deletion of your data subject to legal retention requirements by contacting us at the address below.

7. Your Rights

Under HIPAA and applicable state laws, you have the right to:

• Access your health information
• Request corrections to your health records
• Request restrictions on certain uses and disclosures
• Receive an accounting of disclosures of your health information
• Receive a copy of this Privacy Policy
• File a complaint if you believe your privacy rights have been violated

8. Security Incident Response

In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where required, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our platform and updating the "Last updated" date above. Continued use of our services after changes constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us: