HIPAA Notice

1. SportSlip's status under HIPAA

SportSlip is not a HIPAA covered entityunder federal law (45 CFR § 160.103). HIPAA covers health care providers only when they transmit "standard transactions" — insurance claims, eligibility verification, enrollment, premium payments, referral certification — defined at 45 CFR Part 162.

SportSlip does none of these things. Parents pay out-of-pocket via Stripe. We don't bill insurance.

So federal HIPAA penalties don't apply to us. State law still does. Dr. Kawalek is licensed in 29 U.S. states — see About for the full list. The medical-records statute + patient-privacy law of YOUR state of residence governs your interaction with this practice (for example, Massachusetts General Laws ch. 111 § 70E + the MA medical-records statute for MA residents; California CMIA for CA residents). Other states have their own analogs. Plus the AMA Code of Medical Ethics (3.2.1) on confidentiality applies regardless of state.

2. Why we design to HIPAA-adjacent standards anyway

Because it's the right thing to do for a medical product:

• Every vendor that touches PHI on our behalf has (or is required to have) a Business Associate Agreement, even though we're not legally bound to one.
• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Every chart edit creates an immutable versioned record with author, timestamp, and reason — no overwriting.
• Every release of PHI is logged for defensibility.
• Admin sessions auto-expire after 20 minutes of inactivity.
• Sentry error reports are scrubbed of PHI before transmission.
• Email subject lines + bodies are deliberately PHI-free (notifications are deep-links, not content).

These are documented in our internal Security Posture (last reviewed quarterly) and Vendor Trust Inventory.

3. What PHI we handle

See our Privacy Policy §2 for the full inventory. The short list: identity, screening answers, vitals, allergies, medications, family history, video of your child, immunization card, optional ECG reading, signed clearance PDF.

4. Where it lives

On infrastructure operated by Supabase (database + file storage), Render (backend hosting), Vercel (frontend hosting). All three host SportSlip on isolated cloud regions in the United States. None of them sell or analyze the data; their role is technical hosting.

5. Your rights as a parent/guardian

Right to access

You can download issued PDFs from your dashboard at any time. For a full export of everything in your child's record — screening answers, uploads, message thread, amendment history — email adam@sportslip.co. We respond within 30 days.

Right to amend

If something in your child's record is wrong, request an amendment via dashboard chat or email. Dr. Kawalek reviews within 7 days target (no formal 60-day federal clock; we're responsive). If accepted, the amendment becomes a new version pointing to the corrected state; the original version is preserved. If declined, you can submit a statement of disagreement which is attached to the record permanently.

Right to restrict

Tell us in writing if there are specific uses you want restricted. We'll accommodate where compatible with the service (e.g., we can't deliver a clearance to your camp without sharing what camp it's for).

Right to confidential communications

Email us if you need us to contact you only at a specific email or phone number, or only via the dashboard. We'll honor reasonable requests.

Right to accounting of disclosures

We log every release of PHI internally (PDFs emailed to you, QR verifications scanned by camps, etc.). On request we can provide a list. Not a federally-mandated obligation since we're not a covered entity, but we maintain the log for defensibility and provide it on request.

Right to a paper copy of this notice

Email us; we'll send a dated PDF copy.

Right to file a complaint

If you believe your privacy rights have been violated, email adam@sportslip.co with details. We will investigate. You may also file with the Massachusetts Attorney General's office or your state's health regulator. We will not retaliate.

6. Breach notification

See our separate Breach Policy. In summary: if there's a breach affecting your child's record, we notify you in writing within a reasonable time (30 days for Massachusetts residents per M.G.L. ch. 93H; comparable timelines under other states' laws).

7. What if SportSlip changes status

If SportSlip ever begins billing insurance or transmitting other standard transactions, we'd become a HIPAA covered entity overnight. At that point we'd publish a formal §164.520 Notice of Privacy Practices and bring our procedures into compliance with §§ 164.524, 164.526, 164.528 access/amendment/disclosure-accounting requirements. We pre-installed most of the technical safeguards so the transition wouldn't require an architecture change.

8. Contact

Privacy officer (informal title; SportSlip is small): Adam Z. Kawalek, MD. Email adam@sportslip.co. Phone (833) 549-6401.