HIPAA & Health Data

Understanding how we protect your health information

Last Updated: February 28, 2026

Important Clarification

InGauge is a consumer wellness application, not a healthcare provider, health plan, or healthcare clearinghouse. As such, InGauge is not a "Covered Entity" under HIPAA (Health Insurance Portability and Accountability Act).

However, we recognize that mental health and wellness data is deeply personal. We have voluntarily implemented security practices that meet or exceed HIPAA standards because your privacy deserves protection regardless of legal requirements.

What This Means for You

We're Not a Healthcare Provider

InGauge does not provide medical advice, diagnoses, or treatment. Our AI tools and content are for general wellness and self-reflection, not clinical care. HIPAA governs relationships between patients and healthcare providers—which is not what we are.

We Protect You Anyway

Even though HIPAA doesn't legally apply to us, we've built InGauge with HIPAA-grade security practices. We believe health-related data deserves the highest protection, whether the law requires it or not.

Don't Rely on Us for Medical Care

If you need mental health treatment, please work with licensed professionals who are covered by HIPAA and other healthcare regulations. InGauge is a complement to—not a replacement for—professional care.

Our Health Data Protections

We've voluntarily implemented the following safeguards, modeled after HIPAA's Security Rule:

1Administrative Safeguards

  • Designated security personnel responsible for data protection policies
  • Workforce training on privacy and security practices
  • Access controls limiting who can view user data
  • Incident response procedures for security breaches
  • Regular risk assessments and policy reviews

2Physical Safeguards

  • Cloud infrastructure with SOC 2 Type II certification
  • Data center physical security (biometrics, 24/7 monitoring, access logs)
  • Redundant systems and disaster recovery procedures
  • Secure disposal of storage media

3Technical Safeguards

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 encryption for stored data
  • Access Controls: Role-based access, multi-factor authentication
  • Audit Logging: Comprehensive logs of data access and changes
  • Automatic Logoff: Session timeouts for inactive accounts
  • Integrity Controls: Mechanisms to detect unauthorized data modification

When HIPAA Would Apply

HIPAA may apply in situations involving actual healthcare providers:

  • Therapist Integration (Future): If we ever offer direct integration with licensed healthcare providers, those specific features would be designed to comply with HIPAA requirements, and we would enter Business Associate Agreements (BAAs) as appropriate.
  • Healthcare Provider Use: If a licensed therapist or healthcare organization wishes to use InGauge as part of their practice, please contact us at hipaa@getingauge.com to discuss compliance requirements and potential BAA arrangements.
  • Employer/Insurance Integration: We do not currently integrate with employer health programs or insurance companies. If this changes, relevant HIPAA compliance measures would be implemented.

Your Data Rights

While HIPAA's specific rights framework doesn't apply to us, we provide equivalent controls:

Access

View all data we have about you anytime

Export

Download your complete history

Correction

Update or correct any information

Deletion

Permanently delete your account and data

Third-Party Services

We carefully vet all third-party services that process user data:

  • Cloud Infrastructure: Hosted on providers with SOC 2 certification and HIPAA-eligible infrastructure
  • AI Providers: Our AI partners (for Talk to Psych and Toolkit features) are contractually bound to not retain, train on, or share your conversations
  • Analytics: We use privacy-focused analytics that do not track individual health data

Breach Notification

In the event of a data breach affecting your personal information, we commit to:

  • Notifying affected users within 72 hours of discovering the breach
  • Providing details about what data was affected
  • Describing the steps we're taking to address the breach
  • Offering guidance on how to protect yourself
  • Reporting to relevant regulatory authorities as required by law

For Healthcare Professionals

Are you a licensed therapist, counselor, or healthcare provider interested in using InGauge with your patients or clients? We'd love to hear from you.

Please contact us at hipaa@getingauge.com to discuss:

  • Business Associate Agreement (BAA) requirements
  • Integration options for clinical workflows
  • Data sharing and reporting capabilities
  • Compliance documentation

Questions?

If you have questions about our health data practices or HIPAA-related inquiries:

Email: hipaa@getingauge.com

Privacy Team: privacy@getingauge.com