Leo/Legal/HIPAA

HIPAA Notice.

How Leo handles Protected Health Information (PHI) — and where we are on formal HIPAA compliance. Built to HIPAA Security Rule technical safeguards (§164.312). BAA with Google Cloud in progress.

Last updated · 2026-05-16·Effective · when BAA executes·algorithm-level detail
HIPAA · BAA in progress
On this pagetap to expand
§ 01

Why this page exists.

Leo handles Protected Health Information (PHI) as defined by HIPAA. This page documents the technical and administrative safeguards we have in place today, the patient rights we honor, and the status of our Business Associate Agreement (BAA) with Google Cloud — which is in progress and is the gating item before we can claim formal HIPAA compliance.

We have written this page in plain English wherever possible, with the right legal terms where required. Citations to the regulation itself (§164.308, §164.310, §164.312, §164.404) are inline. If something here is unclear, the contact in §10 is for you.

§ 02

Our current standing.

Leo is HIPAA-ready, not HIPAA-compliant. The HIPAA Security Rule's technical safeguards (§164.312) are implemented in the iOS app and the Cloud Functions that serve it. The BAA with Google Cloud is in progress. We do not claim HIPAA compliance until two things are true: (1) the BAA has been executed, and (2) a third-party assessment has been completed.

Until then, “ready” is the word we use. Other phrasings — “HIPAA-compliant,” “HIPAA-certified,” “fully HIPAA” — are not accurate today and you should not encounter them anywhere on this site.

§ 03

Technical safeguards (§164.312).

Each subsection below maps to a specific requirement of the HIPAA Security Rule's technical safeguards. We name the algorithm or mechanism that implements it.

Access Control · §164.312(a)
Biometric (Face ID or Touch ID) or a secure PIN at app open. Five-minute session timeout — the UI locks on background after five minutes of inactivity. Failed-attempt lockout after five tries, with a five-minute cooldown.
Audit Controls · §164.312(b)
Every PHI access is recorded in an append-only audit log. Firestore security rules block updates and deletes, so audit records cannot be modified or removed after they are written. A SHA-256 cryptographic hash-chain across audit records is on the roadmap (§11); until it ships, “append-only, immutable by rule” is the accurate description of what is true today.
Integrity · §164.312(c)
PHI is encrypted at rest with AES-256-GCM. GCM is an authenticated encryption mode — any tampering with ciphertext fails the tag verification at decryption time, so altered ciphertext cannot be silently accepted.
Person or Entity Authentication · §164.312(d)
Firebase Authentication, backed by Apple platform identity. Account creation requires email verification; the under-13 flow requires a parent code that was generated by an authenticated parent account.
Transmission Security · §164.312(e)
TLS 1.2 or higher on every network request (iOS defaults plus app-level enforcement). Certificate pinning with SHA-256 public-key hashes for Firebase, Google APIs, and Stripe — non-pinned domains are rejected at the URLSession layer.
Encryption · §164.312(a)(2)(iv) & (e)(2)(ii)
Per-user AES-256-GCM at rest. P-256 ECDH + HKDF-SHA-256 for cross-user sharing — when you share data with a linked parent, caregiver, partner, provider, or school nurse, your Data Encryption Key (DEK) is delivered to their device encrypted with their public key. The server never sees the unwrapped key. Google Cloud KMS hardware security modules wrap every DEK server-side. Your personal DEK lives in the iOS Keychain.

For the file-and-line citations behind each of these claims, see /security.

§ 04

Administrative safeguards (§164.308).

Leo is a small organization in private beta. Our administrative posture reflects that, and we name it honestly.

Designated Security Official
Mark Sheffield (founder & paramedic) holds the designated security official role for HIPAA purposes. Contact via legal@leomindbody.com.
Workforce Access
Workforce of one today. Access to production systems is controlled at the Google Cloud project level and audited automatically by Google Cloud's admin activity logs.
Vendor Management (BAAs)
Vendor risk is managed through Business Associate Agreements where PHI is involved. Status of each BAA is documented in §08 of this notice.
HIPAA Awareness
The founder maintains HIPAA awareness training proportional to a workforce-of-one operation. As the team grows, training will scale accordingly and will be documented here.
§ 05

Physical safeguards (§164.310).

Physical safeguards cover the facilities where PHI lives. For Leo, that is two places:

Cloud infrastructure
PHI in the cloud lives in data centers operated by Google Cloud, which provides HIPAA-eligible services and physical controls (badged access, security perimeter, multi-zone redundancy) under its standard infrastructure framework. Our BAA with Google governs the use of PHI on those systems — that BAA is in progress (§08).
Device-level safeguards
On the user's device, the biometric lock, session timeout, and failed-attempt lockout (all surfaced in §03) function as physical safeguards: even a stolen, unlocked phone does not yield PHI without the registered biometric or PIN.
§ 06

Field-level PHI encryption.

Leo encrypts PHI fields individually before they are written to Firestore — not just “at rest by the cloud provider.” The fields below are encrypted on your device with your DEK and decrypted on read. Queryable metadata (dates, IDs, types) stays plaintext so the app can function; the body of every entry is ciphertext on the wire.

Medications & Doses
medicationsdoseLogsprnMedicationsprnDoseLogs
Vitals & Body Signals
vitalSignshealthEvents
Journal & Mental Health
journalEntriessleepJournalemotionLogsmentalHealthSymptomsleoConversations
Clinical Records
clinicalNotestreatmentPlansassessmentResponseslabReportslabValues
Symptoms & Flares
symptomLogsflareUpshealthLogs
Sleep
sleepDatasleepRecords

Encrypted-on-write, decrypted-on-read transparently. View models never see plaintext on the wire, and the admin console never sees plaintext at all. Twenty-three or more collection types carry per-field encryption today.

§ 07

Your patient rights under HIPAA.

HIPAA grants individuals specific rights with respect to their PHI. Leo honors each of them today, in the following ways:

01
Right to Access.

Request a copy of any PHI we hold on you. Native export to PDF, JSON, or CSV is built into Leo.

02
Right to Amendment.

Request corrections to inaccurate PHI we hold. Most fields are user-editable directly in the app; amendments to read-only records can be requested by writing to legal@leomindbody.com.

03
Right to Accounting of Disclosures.

Request a list of who else has accessed your PHI. Leo's append-only audit log surfaces this automatically — every link's access is recorded with timestamp and actor.

04
Right to Restriction.

Restrict who Leo shares your data with. The in-app sharing toggles (per role, per data type) implement this. Any link can be revoked at any time.

05
Right to Delete.

Request deletion of your account and PHI. We process and confirm deletion within thirty (30) days.

06
Right to Breach Notice.

We notify you within sixty (60) days of discovering any breach affecting your PHI, per HIPAA §164.404. See §09 below for the full breach-notification posture.

§ 08

Business Associate Agreements.

HIPAA requires Business Associate Agreements (BAAs) with any vendor that touches PHI on a covered entity's behalf. Status of Leo's BAAs today:

Google Cloud Platform
Underlying infrastructure (Firestore, Cloud Functions, Cloud KMS).
BAA in progress
Firebase / Firebase Auth
Database and authentication. Firebase is part of Google Cloud's BAA scope.
BAA in progress
Stripe
Payment processing for donations and subscriptions.
No PHI shared
Shopify
Ambassador rewards store and product fulfillment.
No PHI shared
§ 09

Breach notification.

In the event of a breach affecting unsecured PHI, Leo follows HIPAA's Breach Notification Rule (§164.400 et seq.):

Individual notice · §164.404
Affected individuals are notified without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach. Notice is delivered by the contact method on file (typically email).
Media notice · §164.406
If a breach affects more than 500 residents of a state or jurisdiction, Leo provides notice to prominent media outlets serving that area.
HHS notice · §164.408
Breaches affecting 500 or more individuals are reported to the U.S. Department of Health & Human Services (HHS) without unreasonable delay and within sixty (60) calendar days. Smaller breaches are logged and reported to HHS annually.
§ 10

How to contact us.

For any HIPAA-related question, complaint, or to exercise a patient right (see §07):

legal@leomindbody.com

You also have the right to file a complaint directly with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), without notifying us first. OCR's complaint portal is at hhs.gov/hipaa/filing-a-complaint. Leo will not retaliate against any individual for filing a complaint.

§ 11

Roadmap items we name out loud.

Most legal notices show only what an organization has done. This is the section where we name what we have not done yet — so the rest of the page can be read with confidence that we are not hiding gaps.

Cryptographic hash-chain on the audit log

Today the audit log is append-only and made immutable by Firestore rules. A SHA-256 hash-chain across audit records (each record carrying the hash of the prior record so any tamper attempt breaks the chain) is on our near-term build list. When it ships, this notice will be updated and the corresponding claim in §03 will move from "append-only, immutable by rule" to the stronger "tamper-evident chain."

Enforced retention policy

There is currently no automatic deletion of audit records or other PHI after a fixed retention window. HIPAA itself requires a minimum of six years for documentation; a retention service that enforces deletion at the upper bound (and exposes the policy to users) is on the roadmap.

Third-party HIPAA assessment

We have not yet engaged an independent assessor for a formal HIPAA compliance review. This will happen after the Google Cloud BAA is executed and is the second of the two gating items before we claim formal HIPAA compliance.

SOC 2 Type I

On the near-term roadmap. Documentation, controls, and the audit trail a Type I audit requires are being assembled before we engage a CPA firm. Type II requires a subsequent observation window.