Legal

HIPAA Compliance

Reyma is HIPAA-compliant. Patient data is encrypted, access-audited, and covered by a signed Google Cloud Business Associate Agreement.

Summary

Reyma is built to handle protected health information (PHI) safely. Patient data flows through HIPAA-compliant infrastructure with end-to-end encryption, role-based access controls, full audit logging, and a signed Business Associate Agreement (BAA) with Google Cloud covering all storage and authentication.

Reyma operates in two modes depending on who is using it:

  • For patients. Reyma is a consumer wellness application used voluntarily. Personal wellness data remains your own unless you explicitly share it with a clinician.
  • For clinicians. Reyma Practice handles PHI on your behalf as a HIPAA Business Associate. Reyma signs BAAs with practices and operates against the full HIPAA Security Rule controls.

When Patient Data Becomes PHI

When a patient opts into sharing data with a licensed clinician, that shared data becomes Protected Health Information (PHI) the moment it reaches the clinician. From that point:

  • Your shared data may be considered Protected Health Information (PHI) once received by your healthcare provider
  • Your healthcare provider is the covered entity responsible for HIPAA compliance when handling your shared data
  • Only AI-generated summaries are shared - raw conversation messages are never transmitted to providers
  • You can disconnect from your provider at any time, immediately revoking their access

Business Associate Agreement with Google Cloud

Reyma operates as a HIPAA Business Associate for the clinicians and practices that use Reyma Practice. To support that role, we have a signed Business Associate Agreement with Google Cloud covering every service we use to store and process patient data, including Firestore, Cloud Storage, Cloud Identity Platform, and Cloud Functions.

All patient data lives inside that BAA boundary. Clinicians and practices using Reyma Practice can request a Reyma → Practice BAA directly at any time; contact privacy@withreyma.com to get a copy.

How We Protect Your Data

Reyma implements the full set of HIPAA Security Rule technical safeguards on top of HIPAA-compliant Google Cloud infrastructure:

  • Encryption at rest: All cloud-stored data is encrypted using AES-256
  • Encryption in transit: All data transmissions use TLS 1.2 or higher
  • Access controls: Role-based access with consent-gated data sharing
  • No employee access: Reyma employees do not have access to your personal wellness data or conversation content
  • Audit logging: All provider data access is logged with timestamps

Healthcare Provider Responsibilities

If you are a healthcare provider using the Reyma dashboard, you are responsible for your own HIPAA compliance obligations. This includes ensuring appropriate safeguards for any patient data you access through the Reyma platform and maintaining compliance with all applicable federal and state privacy regulations.

Reyma provides tools to support your compliance, including consent-gated access, audit logging, and data minimization (summaries only, no raw messages). However, the responsibility for HIPAA compliance rests with you as the covered entity.

Account Deletion

Users can delete all of their data at any time through the app by navigating to Settings → Danger Zone → Delete All Data. This permanently removes all data from both local storage and cloud servers, including any data that has been shared with connected providers. This action cannot be undone.

Questions

If you have questions about Reyma's data practices or HIPAA considerations, contact us at privacy@withreyma.com