HIPAA COMPLIANCE POLICY
HIPAA Privacy, Security, and Breach Notification Policy
EyeKon Technology (eyekonapp.com)
Effective Date: April 8, 2026
Version 1.0
Approved by: Compliance Officer
Contact: support@eyekonapp.com
1. Purpose
EyeKon Technology, Inc., (“EyeKon,” “we,” “us,” or “our”) provides Attention Tracking Technology (ATT), a local desktop application for real-time gaze monitoring and attention feedback during video calls. EyeKon is designed for use in telehealth, pediatric therapy (including support for Autism and ADHD), online proctoring, and professional communications.
This policy establishes EyeKon’s commitment to protecting Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the regulations at 45 CFR Parts 160 and 164 (Privacy, Security, and Breach Notification Rules).
EyeKon’s core architecture ensures 100% local processing on the end-user’s device. No video, audio, gaze data, or PHI is transmitted to EyeKon servers or any cloud service. EyeKon therefore operates as a non-covered entity and non-business associate in standard use and poses minimal risk in a Covered Entity’s HIPAA Security Risk Analysis. This policy governs any incidental or support-related handling of PHI and ensures ongoing compliance if EyeKon ever enters a Business Associate Agreement (BAA).
2. Scope
This policy applies to:
o All EyeKon employees, contractors, and agents (“Workforce”).
o Any PHI that may be incidentally received (e.g., support tickets containing PHI, report attachments, or customer communications).
o All systems, devices, and processes under EyeKon’s control.
o Business associates and subcontractors who may handle PHI on EyeKon’s behalf (if any).
It does not apply to data processed locally by clinicians, patients, or end-users on their own devices.
3. Definitions
o Protected Health Information (PHI): Individually identifiable health information transmitted or maintained by a Covered Entity or Business Associate.
o Covered Entity: Health plans, health care clearinghouses, and health care providers.
o Business Associate: A person or entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.
o Local Processing: All gaze tracking, analysis, and report generation performed entirely on the user’s device with no transmission to EyeKon.
o Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI.
4. Privacy Rule Compliance
4.1 Permitted Uses and Disclosures
EyeKon does not receive, store, or transmit PHI in standard operation. Any incidental PHI received (e.g., via email support) will be used or disclosed only:
o To fulfill the purpose for which it was provided (e.g., technical support).
o As required by law.
o With explicit written authorization from the individual or the Covered Entity.
4.2 Minimum Necessary
Workforce members access only the minimum PHI necessary to perform their job functions.
4.3 Patient Rights
EyeKon does not maintain designated record sets of PHI. If a patient rights request (access, amendment, accounting of disclosures, etc.) is received regarding local EyeKon-generated reports, EyeKon will promptly forward the request to the applicable Covered Entity and assist as reasonably requested.
4.4 Notice of Privacy Practices
EyeKon does not create or maintain a Notice of Privacy Practices for its own operations because it is not a Covered Entity. Covered Entities using EyeKon are responsible for providing their own NPP to patients.
5. Security Rule Compliance
EyeKon maintains administrative, physical, and technical safeguards appropriate to the minimal risk profile of its operations.
5.1 Administrative Safeguards
o Security Management Process: Annual risk analysis (updated as of April 2026) identifies and mitigates risks to any PHI that could be received.
o Assigned Security Responsibility: The Compliance Officer is responsible for HIPAA compliance.
o Workforce Training and Sanctions: All Workforce members receive annual HIPAA training and sign confidentiality agreements. Violations are subject to progressive discipline up to termination.
o Business Associate Agreements: EyeKon enters into BAAs with any vendor or subcontractor that may create, receive, maintain, or transmit PHI on its behalf (none currently required due to local processing).
o Contingency Plan: Includes data backup (non-PHI subscription data only), disaster recovery, and emergency-mode operations procedures.
o Evaluation: Periodic technical and non-technical evaluations of security measures.
5.2 Physical Safeguards
o Access to EyeKon offices and systems is restricted to authorized personnel via badge or biometric controls.
o Portable devices containing any potential PHI (e.g., support laptops) are encrypted and tracked.
o Visitors are escorted and signed in.
5.3 Technical Safeguards
o Access Control: Unique user IDs, strong passwords, and role-based access. Multi-factor authentication required for all systems.
o Audit Controls: Logging of all access to systems that could handle PHI (support ticketing system). Logs retained for 6 years.
o Integrity Controls: Mechanisms to ensure PHI is not improperly altered or destroyed (if received).
o Transmission Security: Any incidental PHI sent via email or support portal is encrypted (TLS 1.3+ or secure file-sharing portals). No PHI is ever sent unencrypted.
o Device and Media Controls: All company devices are encrypted (BitLocker/FileVault). Media containing PHI is sanitized before disposal.
o Local Processing Assurance: EyeKon’s software is engineered so that gaze data never leaves the user’s device. Source code and binaries are reviewed to maintain this guarantee.
6. Breach Notification
EyeKon will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of a Breach of unsecured PHI.
o Individual notifications will be provided where required.
o Media notice and HHS reporting will occur as mandated by the Breach Notification Rule.
o Documentation of all breaches and risk assessments will be maintained for 6 years.
Because PHI is never stored on EyeKon systems in standard use, the risk of a reportable breach involving EyeKon servers is non-existent.
7. Business Associate Agreements
EyeKon will execute a HIPAA-compliant BAA upon request if a Covered Entity determines that a BAA is needed for their specific use case. The standard BAA is available from the Compliance Officer.
8. Policies and Procedures
o Email, Fax, and Messaging: PHI (if any) must be sent via encrypted channels only.
o Device Use: Workforce may not use personal devices for PHI without encryption and approval.
o Remote Access: VPN with MFA required for any access to internal systems.
o Incident Response: All suspected incidents are reported immediately to the Compliance Officer.
o Documentation: All HIPAA-related policies, training records, risk analyses, and incident logs are retained for at least 6 years.
9. Enforcement and Sanctions
Violations of this policy will result in disciplinary action, up to and including termination. Workforce members are required to report suspected violations or breaches immediately.
10. Review and Updates
This policy will be reviewed at least annually or following any regulatory change, significant incident, or material change in EyeKon’s operations. Updates will be distributed to all Workforce members.
11. Acknowledgment
All Workforce members must acknowledge receipt and understanding of this policy upon hire and annually thereafter.
Questions or Concerns?
Contact the HIPAA Compliance Officer at support@eyekonapp.com or (insert phone number if available).
EyeKon Technology
eyekonapp.com
This policy supports the privacy-first design of our Attention Tracking Technology and enables Covered Entities to use EyeKon while maintaining full control over their PHI.
End of Policy
This document is provided as a comprehensive, ready-to-adapt HIPAA policy. EyeKon recommends that Covered Entities using the app conduct their own Security Risk Analysis and integrate EyeKon’s local-processing features into their policies. If you need this document in a different format (Word/PDF), customizations, or a signed BAA, please contact support@eyekonapp.com.