HIPAA Notice

Customer is the Covered Entity (CE) under 45 C.F.R. section 160.103. Luminex Global Inc. is a Business Associate (BA) when acting on Customer's behalf to process PHI. Riley acts as Customer's tool for permitted purposes (treatment communications, payment, health-care operations) under HIPAA. Customer remains responsible for HIPAA compliance. Riley supports but does not assume the CE role.

Practice plan signups include execution of a BAA between Luminex Technologies LLC and the Customer's CE entity. The BAA covers permitted uses, safeguard requirements, breach-notification obligations, subcontractor commitments, term and termination, and data-return obligations. Customer can request the BAA template in advance from legal@hireriley.com.

Administrative: principle-of-least-privilege role-based access controls, security-awareness practices, and append-only audit logging of every PHI-touching action. Physical: regional VMs (US and EU) with provider-attested physical security controls. See Trust for the current subprocessor list. Technical: AES-256 encryption at rest, TLS 1.3 in transit, OAuth-only authentication (no API keys leak server-side), an automatic PII redactor on AI outputs, immutable audit logs, a per-tenant egress policy (default, BAA-covered AI provider only, or fully on-premise inference) for tenants that need to restrict where PHI may be processed, and a second-pass PHI compliance review that wraps every PHI-bearing action and fails closed on uncertainty rather than allowing a borderline action through.

AI processing happens with our LLM provider under terms that prohibit training on customer data. Customer PHI is not used to fine-tune any model Luminex or its providers offer to other customers. AI outputs that may include PHI are scanned by Riley's PII scanner before delivery; Customer reviews every patient-facing output before it ships.

Subprocessors that may process PHI on our behalf are listed in Disclosures section 18. Each subprocessor that touches PHI is bound by a downstream BAA. Material changes are communicated 30 days in advance.

Per 45 C.F.R. section 164.410, Luminex will notify Customer of any breach of unsecured PHI as required by the executed BAA. We follow industry-standard breach-notification timelines under HIPAA section 164.404; the current incident response runbook is operator-administered. Notification will include the nature of the breach, affected individuals, what was breached, what has been done, and recommended steps. Customer remains responsible for breach notification to affected individuals and HHS as required.

Riley supports Customer's HIPAA Right of Access, Right to Amendment, Right to Accounting of Disclosures, and Right to Restriction. Email privacy@hireriley.com with the patient identifier (no PHI in the request body) and we will work with Customer to honor it within 30 days.

On termination, Luminex will return or destroy all PHI per Customer's instruction within 90 days. PHI in encrypted backups follows our backup retention (rolling 90 days) and is then purged.

Riley is HIPAA-aware, not HIPAA-certified (no such certification exists; HIPAA is a regulation). On the Free Scan, Authority Audit, and lower plans, Riley does not handle PHI in patient-facing communications. Those tiers are designed for non-PHI use cases (review responses based on public reviews, AEO content, business operations). PHI handling requires the Practice plan with an executed BAA. See Disclosures section 4.