Skip to content
SMEG Request Pricing
Legal · HIPAA

HIPAA / PHI Handling Notice

Effective April 25, 2026

SMEG does not accept PHI through public demo links, public forms, or unsecured email. This page summarizes the PHI-gated path required before any PHI-enabled pilot or service.

Plain-language summary. SMEG never sells PHI. SMEG never uses identifiable PHI to train machine-learning models. A signed BAA, approved intake path, access-control plan, retention plan, and appropriate vendor terms are required before any PHI exchange.

1. SMEG's role under HIPAA

When a Covered Entity signs a BAA and approved service scope with SMEG, SMEG may act as a Business Associate as defined at 45 CFR §160.103. Until those documents are executed, public demos and worksheets are non-PHI only.

Before any PHI is transmitted to SMEG, SMEG executes a Business Associate Agreement with the Covered Entity. SMEG's BAA template is available at /legal/baa and is materially modeled on the HHS Office for Civil Rights sample provisions.

2. Administrative safeguards (§164.308)

Before PHI is accepted, SMEG requires an administrative-safeguards plan covering:

  • Security Management Process. Risk analysis and risk-management planning for the specific intake/storage/review workflow.
  • Workforce Security & Training. Role-based access authorization and HIPAA training for any workforce member with PHI access.
  • Access Authorization & Modification. Documented authorization workflow for granting, modifying, and terminating PHI access.
  • Security Incident Procedures. Written incident-response workflow with notification timelines and evidence-preservation steps.
  • Contingency Plan. Backup, disaster-recovery, and retention plan appropriate to the approved storage vendor and pilot scope.
  • Business Associate Contracts. Downstream BAAs or equivalent required agreements for any vendor that creates, receives, maintains, or transmits PHI.

3. Physical safeguards

PHI-enabled processing must occur only through an approved cloud/storage workflow with appropriate contractual safeguards. Public website/demo infrastructure is not an approved PHI intake path.

4. Technical safeguards (§164.312)

  • Access Control (§164.312(a)). Unique user identification, automatic logoff, role-based access. No shared accounts.
  • Audit Controls (§164.312(b)). Immutable access logs for every PHI read/write/delete. Retention ≥ 6 years per 45 CFR §164.530(j).
  • Integrity (§164.312(c)). Tamper-evident hashing on stored PHI; integrity validated on retrieval.
  • Person or Entity Authentication (§164.312(d)). Multi-factor authentication required for all administrative and clinical-reviewer accounts.
  • Transmission Security (§164.312(e)). TLS 1.2 minimum (TLS 1.3 preferred) for all PHI in transit. AES-256 encryption at rest.

5. Organizational requirements (§164.314)

Any subcontractor that creates, receives, maintains, or transmits PHI on SMEG's behalf must be approved in the pilot/service scope and bound by appropriate written terms before PHI is exchanged.

6. Breach notification

In the event of a Breach of Unsecured PHI, SMEG will notify the affected Covered Entity without unreasonable delay and in no case later than sixty (60) days after discovery, in accordance with 45 CFR §164.410. Notification will include a description of what happened, the types of PHI involved, the steps Individuals should take to protect themselves, what SMEG is doing to investigate and mitigate harm, and contact information for follow-up.

7. PHI in machine learning

SMEG does not use identifiable PHI to train, fine-tune, or evaluate machine-learning models. Model training relies on:

  • De-identified data per 45 CFR §164.514(b) (Safe Harbor or Expert Determination).
  • Synthetic clinical scenarios authored by SMEG's clinical team.
  • Publicly available regulatory corpora — CMS Pub. 100-02, CMS Transmittals and therapy-services updates (e.g., CY2026 KX threshold guidance), OIG audit reports, MAC Local Coverage Determinations.

Any AI/vendor processing involving PHI must be approved in writing first. Public demos and sample reports use synthetic or fake data only.

8. PHI retention & deletion

SMEG retains PHI only as long as necessary to provide the contracted services and to satisfy applicable legal and audit-trail requirements. Upon BAA termination, PHI is returned or securely destroyed in accordance with NIST SP 800-88 media sanitization guidelines. Audit logs (which may reference PHI by record identifier) are retained for the six-year minimum required by 45 CFR §164.530(j).

9. Patient rights

Patients ("Individuals" in HIPAA terminology) exercise their HIPAA rights — access, amendment, accounting of disclosures, restriction requests — through their Covered Entity, not directly with SMEG. SMEG supports its Covered Entity customers in fulfilling these rights within the timelines set by the Privacy Rule and the executed BAA.

10. Reporting a concern

If you believe SMEG has used or disclosed PHI in violation of HIPAA or this Notice, contact us:

You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights, at hhs.gov/hipaa/filing-a-complaint. SMEG will not retaliate against any person for filing a complaint.

Regulatory references

  • 45 CFR §164.308 — Administrative safeguards.
  • 45 CFR §164.310 — Physical safeguards.
  • 45 CFR §164.312 — Technical safeguards.
  • 45 CFR §164.314 — Organizational requirements (Business Associate contracts).
  • 45 CFR §164.402, §164.404, §164.410 — Breach notification.
  • 45 CFR §164.514(b) — De-identification standards.
  • 45 CFR §164.530(j) — Documentation retention (six years).