Last updated: March 2, 2026
At BioTRK, the security and privacy of your health information is not merely a compliance obligation - it is the foundational principle upon which our entire platform is built. We have voluntarily adopted the Health Insurance Portability and Accountability Act (HIPAA) as our compliance standard, implementing its full spectrum of Administrative, Physical, and Technical Safeguards to protect every piece of Protected Health Information (PHI) that passes through our ecosystem.
Our HIPAA compliance program encompasses the Privacy Rule (45 CFR §164.500-534), the Security Rule (45 CFR §164.302-318), and the Breach Notification Rule (45 CFR §164.400-414), supplemented by NIST SP 800-66 implementation guidance. Additionally, we maintain full compliance with the Singapore Personal Data Protection Act (PDPA) and its mandatory breach notification requirements.
Protected Health Information (PHI) includes any individually identifiable health information that is created, received, maintained, or transmitted electronically. At BioTRK, this includes:
The following safeguards are active across our entire platform, protecting your data at every stage of its lifecycle - from the moment it enters our system to its eventual secure disposal.
All Protected Health Information is encrypted using AES-256-GCM with scrypt-derived keys and unique random salts per encryption operation. OAuth tokens, sensitive credentials, and health data are cryptographically secured before storage - ensuring that even in the event of unauthorized database access, PHI remains indecipherable.
Every connection between your browser and our servers, between our application and our database, and between our platform and third-party services is protected by TLS 1.2+ encryption. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age, including subdomains, and preload enrollment - ensuring encrypted channels cannot be downgraded.
Every read, creation, modification, deletion, export, and external transmission of PHI is recorded in a tamper-evident audit log. Each entry captures the authenticated user, action type, resource accessed, timestamp, client IP address, and user agent. Audit logs are retained for a minimum of six years in compliance with HIPAA retention requirements.
All user authentication is managed through an enterprise-grade identity provider with support for multi-factor authentication. Every database query involving health data is cryptographically scoped to the authenticated user's unique identifier - making cross-user data access architecturally impossible. Role-based access controls enforce the minimum necessary standard for all internal operations.
In compliance with HIPAA Technical Safeguard §164.312(a)(2)(iii), user sessions are automatically terminated after a prolonged period of inactivity. All data is encrypted at rest and in transit, and every request is scoped to the authenticated user - ensuring that active sessions cannot be exploited by unauthorized parties.
All API endpoints are protected by per-IP rate limiting with tiered thresholds for standard, authentication, and AI processing routes. Brute-force attacks, credential stuffing, and API abuse are automatically blocked. A comprehensive Content Security Policy (CSP) prevents cross-site scripting, clickjacking, and data injection attacks.
Every data input is validated against strict schemas before processing. All health data mutations use parameterized database queries - eliminating SQL injection risks. Error responses are sanitized to never expose PHI, internal system details, or stack traces to external parties. Data integrity is maintained through referential constraints and transactional guarantees.
BioTRK maintains documented breach notification procedures in compliance with HIPAA Breach Notification Rule (45 CFR §164.400-414). In the unlikely event of a security incident, affected individuals and the U.S. Department of Health and Human Services will be notified within 60 calendar days. For Singapore-based users, the Personal Data Protection Commission (PDPC) will be notified within 3 calendar days per PDPA §26D.
We maintain signed Business Associate Agreements (BAAs) with all third-party service providers that process, store, or transmit PHI on our behalf - including our database hosting provider, authentication service, cloud infrastructure, AI processing partners, and wearable device integrations.
We enforce the minimum necessary standard across all data operations. API responses return only the specific PHI fields required for each feature. AI processing receives only the data elements essential for generating health assessments - never the entirety of a user's record.
All team members with access to systems that process PHI undergo HIPAA security awareness training. Access to production systems is restricted on a role-based, need-to-know basis with unique individual credentials and multi-factor authentication.
We conduct periodic risk assessments to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of PHI. Findings are documented, prioritized, and remediated according to established timelines.
BioTRK maintains a documented incident response plan for security events affecting PHI, including forensic investigation procedures, containment protocols, breach risk assessment methodology, and notification workflows for affected individuals and regulatory authorities.
We believe you have absolute sovereignty over your health data. Under our compliance framework, you have the right to:
If you have questions about our HIPAA compliance program, wish to exercise your data rights, or need to report a security concern, please contact our Data Protection Officer at hello@biotrk.io. All inquiries are reviewed and responded to within the timelines established by applicable law.