HIPAA Compliance

Datable, Inc. takes the privacy and security of health data with the utmost seriousness. As a platform that collects, processes, and analyzes sensitive biometric and relational health data from Oura Ring and Apple Health, we have architected our systems and policies to align with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

This page describes our HIPAA posture, the technical and administrative safeguards we have implemented, our approach to Protected Health Information (PHI), and our commitments to enterprise partners and healthcare organizations that integrate Datable into their care models.

Privacy is not merely a compliance exercise at Datable. It is a core product value. Our users trust us with some of the most intimate data about their lives and bodies. That trust is the foundation of everything we build.

HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates (vendors who handle PHI on their behalf). The applicability of HIPAA to Datable depends on the context in which Datable is used.

Consumer use (direct-to-consumer app): When individual consumers use the Datable app independently to track their own relational health and biometric data, HIPAA does not apply to that data. The data is governed by our Privacy Policy and the user's consent. This is consistent with how other consumer wellness apps, including Oura, Apple Health, and Fitbit, operate.

Clinical and enterprise use: When Datable is deployed as part of a clinical workflow by a covered entity such as a therapy practice, health system, or EAP program, Datable acts as a Business Associate. In this context, we execute a Business Associate Agreement (BAA) with the covered entity and apply full HIPAA-compliant data handling to all PHI processed through the integration.

If you are a healthcare organization evaluating Datable for clinical use, please contact us at [email protected] to discuss your specific requirements and to request a BAA.

Datable has implemented the following safeguards in alignment with the HIPAA Security Rule:

When Datable processes PHI under a BAA with a covered entity, we apply the following data handling practices.

Minimum necessary standard: We collect and process only the minimum amount of PHI necessary to fulfill the specific purpose for which it was shared. We do not use PHI for product development, advertising, or any purpose not specified in the BAA.

Data retention: PHI is retained for the period specified in the BAA, and in no case longer than required by applicable law. Biometric data from Oura Ring integrations is cached for a maximum of 60 days in accordance with the Oura API Agreement, unless a longer retention period is required by the BAA.

Data subject rights: Individuals whose PHI is processed by Datable under a BAA retain all rights afforded to them under HIPAA, including the right to access, amend, and request an accounting of disclosures of their PHI. Requests should be directed to the covered entity, which will coordinate with Datable as required.

Subcontractors: Datable requires all subcontractors who handle PHI on our behalf to execute BAAs and to maintain HIPAA-compliant data handling practices equivalent to our own.

For healthcare organizations and enterprise partners that integrate Datable into clinical workflows, we make the following specific commitments:

Datable integrates with Oura Ring and Apple HealthKit to provide biometric context for relational health insights. The following specific commitments apply to data received from these integrations.

Oura Ring data: Biometric data received through the Oura API is used solely to provide the features described in the Datable app. It is not sold, transferred, or shared with third parties for advertising or marketing purposes. It is not used to build advertising profiles. It is cached for a maximum of 60 days. Users can revoke Oura access at any time, at which point all cached Oura data is deleted within 24 hours.

Apple HealthKit data: Data received from Apple HealthKit is used solely to provide health and wellness features within the Datable app. In compliance with Apple's HealthKit guidelines, HealthKit data is not used for advertising or marketing, is not shared with third parties without explicit user consent, and is not used for any purpose unrelated to health and fitness.

Datable maintains a written incident response plan that is tested annually. In the event of a security incident that may involve unauthorized access to PHI, we will notify affected enterprise partners within 24 hours of discovery. We will conduct a full forensic investigation to determine the scope and nature of the incident, notify affected individuals within the timeframes required by HIPAA, report to the Department of Health and Human Services as required by the HIPAA Breach Notification Rule, and implement remediation measures to prevent recurrence.

For questions about our HIPAA compliance posture, to request a Business Associate Agreement, or to report a potential security incident, please contact our Privacy and Security Team.