HIPAA Alignment

Although Cognistase is a European company, we recognize that families and professionals in the United States may also benefit from our platform. HIPAA (the Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive health information in the US, and we are preparing our architecture to meet those requirements.

Why HIPAA matters for a European company

Developmental assessment data is considered Protected Health Information (PHI) under HIPAA. If US-based healthcare providers, schools, or clinics use Cognistase, we must comply with HIPAA's Administrative, Physical, and Technical Safeguards. Our EU-centric architecture already implements many of these requirements.

Safe Harbor de-identification

Our de-identification process follows the HIPAA Safe Harbor method, removing all 18 categories of PHI identifiers. When data is used for aggregate analysis or system improvement, it is fully de-identified so that re-identification is not reasonably possible.

PHI isolation zones

Protected Health Information is stored in dedicated isolation zones with additional access controls, encryption, and audit logging beyond our standard security measures. These zones are logically and physically separated from non-PHI data storage.

Business Associate Agreement

When Cognistase becomes available in the US market, we will offer Business Associate Agreements (BAAs) to covered entities. A BAA formalizes our commitment to protecting PHI and defines both parties' responsibilities under HIPAA.

Technical safeguards already in place

• Encryption at rest (AES-256-GCM) and in transit (TLS 1.3)
• Unique user identification and role-based access control
• Automatic session management and timeout
• Comprehensive audit logging of all data access events
• Emergency access procedures for authorized personnel