1. Introduction
This HIPAA Notice of Privacy Practices describes how Blue Beard Solutions Inc. ("Company") handles Protected Health Information (PHI) within the MayDay-IC incident command system. MayDay-IC processes PHI as part of emergency medical care coordination and is committed to safeguarding all health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable regulations at 45 CFR Parts 160 and 164.
2. Administrative Safeguards
Workforce Training
All personnel with access to PHI receive HIPAA training upon onboarding and annual refresher training thereafter. Training covers:
- Identification and handling of PHI
- Minimum necessary standard application
- Incident reporting procedures
- Patient rights and privacy obligations
- Breach notification requirements
Sanctions Policy
Personnel who violate HIPAA policies or these privacy practices are subject to disciplinary action, up to and including termination of access and employment, and may be subject to civil and criminal penalties under applicable law.
Risk Assessment
We conduct regular risk assessments to identify potential vulnerabilities to the confidentiality, integrity, and availability of PHI. Risk assessments are performed:
- Annually, as part of our compliance program
- When significant changes are made to the system architecture
- Following any security incident or breach
- When new features involving PHI are introduced
3. Physical Safeguards
Mobile Device Security
MayDay-IC is designed for mobile use in emergency environments. Physical safeguards include:
- Device-level encryption enforcement (required for app access)
- Automatic session timeout after period of inactivity
- Session lock requiring re-authentication
- No PHI stored in device external storage or accessible to other applications
- Secure data wiping guidance for device decommissioning
Encrypted Storage
All PHI stored locally on devices uses encrypted storage mechanisms provided by the operating system's secure enclave (iOS Keychain, Android Keystore). Server-side PHI is encrypted at rest using AES-256 encryption.
4. Technical Safeguards
Encryption
| Layer | Standard | Details |
|---|---|---|
| Data at Rest | AES-256 | All database fields containing PHI are encrypted |
| Data in Transit | TLS 1.2+ | All network communications use TLS 1.2 or higher |
| API Communications | HTTPS | All API endpoints require HTTPS |
| Local Storage | Platform Secure Enclave | iOS Keychain / Android Keystore |
Access Controls
- Role-Based Access Control (RBAC): Users can only access PHI appropriate to their role (IC, Medical, Triage, etc.)
- Unique User Identification: Each user has a unique identifier for audit tracking
- Multi-Factor Authentication (MFA): Available for administrative and elevated-privilege accounts
- Automatic Logoff: Sessions expire after configurable inactivity periods
- Emergency Access: Break-glass procedures for emergency access with enhanced audit logging
Audit Logging
All access to PHI is logged with the following information:
- User identifier and role
- Date, time, and timezone of access
- Action performed (create, read, update, delete)
- Resource type and identifier
- IP address and user agent
- Incident context
Audit logs are retained for a minimum of 6 years per 45 CFR 164.530(j) and are tamper-evident.
Session Management
- API tokens expire after 4 hours of issuance
- Administrative sessions expire after 24 hours
- Session lock activates after configurable inactivity period
- Concurrent session limits prevent unauthorized access
- All sessions can be remotely terminated by administrators
5. Breach Notification
In the event of a breach of unsecured PHI, we will comply with the HIPAA Breach Notification Rule (45 CFR 164.400-414):
- Individual Notice: Affected individuals will be notified without unreasonable delay and no later than 60 days after discovery of the breach, via written notice sent to the individual's last known address or email.
- HHS Notification: For breaches affecting 500 or more individuals, the U.S. Department of Health and Human Services (HHS) will be notified without unreasonable delay and no later than 60 days after discovery.
- State Attorney General Notification: Applicable state attorneys general will be notified as required by state breach notification laws.
- Media Notification: For breaches affecting 500 or more residents of a single state or jurisdiction, prominent media outlets in that area will be notified.
- Breach Log: All breaches, including those affecting fewer than 500 individuals, are logged and reported to HHS annually.
Breach Assessment
Upon discovery of a potential breach, we conduct a risk assessment considering:
- The nature and extent of PHI involved
- The unauthorized person who used or accessed the PHI
- Whether the PHI was actually acquired or viewed
- The extent to which the risk has been mitigated
6. Data Retention
In accordance with 45 CFR 164.530(j), we retain PHI and related documentation for a minimum of 6 years from the date of creation or the date when the policy was last in effect, whichever is later. Specific retention periods:
| Record Type | Retention Period |
|---|---|
| Patient/Triage Records (PHI) | 6 years |
| Audit Logs | 6 years |
| HIPAA Policies and Procedures | 6 years |
| Business Associate Agreements | 6 years after termination |
| Training Records | 6 years |
| Breach Notification Records | 6 years |
| Risk Assessments | 6 years |
7. Business Associate Agreements (BAAs)
We require Business Associate Agreements with all third-party service providers who may create, receive, maintain, or transmit PHI on our behalf. BAAs include:
- Permitted and required uses and disclosures of PHI
- Obligation not to use or disclose PHI other than as permitted or required
- Implementation of appropriate safeguards
- Reporting of breaches and security incidents
- Return or destruction of PHI upon termination
- Availability of internal practices and records for HHS review
- Extension of requirements to subcontractors
8. Minimum Necessary Standard
We apply the minimum necessary standard to all uses, disclosures, and requests for PHI. This means:
- Access to PHI is limited to the minimum amount necessary for the intended purpose.
- Role-based access controls restrict PHI visibility by user role and incident context.
- API responses are filtered to include only PHI relevant to the requesting user's role.
- PHI in audit logs is scrubbed using automated tools to prevent unnecessary exposure.
- The minimum necessary standard does not apply to disclosures for treatment purposes, disclosures to the individual, or disclosures required by law.
9. Patient Rights
Right to Access
Patients (or their authorized representatives) have the right to access and obtain a copy of their PHI maintained by the Service, subject to certain exceptions. Requests will be fulfilled within 30 days.
Right to Amendment
Patients may request amendment of their PHI if they believe it is inaccurate or incomplete. We will respond within 60 days and provide written notification of the decision.
Right to Accounting of Disclosures
Patients may request an accounting of disclosures of their PHI made in the 6 years prior to the request (excluding disclosures for treatment, payment, and healthcare operations, and certain other exceptions).
Right to Request Restrictions
Patients may request restrictions on certain uses and disclosures of their PHI. We are not required to agree to a restriction but will comply with any restriction we agree to, except in emergency treatment situations.
Right to Confidential Communications
Patients may request that we communicate PHI to them by alternative means or at alternative locations. We will accommodate reasonable requests.
10. Business Associate Obligations
As a business associate to covered entities (hospitals, EMS agencies, healthcare providers), we are obligated to:
- Use and disclose PHI only as permitted by our BAAs and applicable law
- Implement appropriate administrative, physical, and technical safeguards
- Report breaches and security incidents to covered entities
- Ensure subcontractors agree to the same restrictions
- Make PHI available for individual access requests as directed by covered entities
- Make internal practices and records available to HHS for compliance reviews
- Return or destroy PHI upon termination of the BAA
11. Contact Information
HIPAA Privacy Officer
Blue Beard Solutions Inc.
Email: info@maydayic.com
To file a complaint about our privacy practices, you may also contact:
U.S. Department of Health and Human Services
Office for Civil Rights
www.hhs.gov/hipaa/filing-a-complaint
We will not retaliate against you for filing a complaint.