Compliance

HIPAA Compliance

Last updated: April 4, 2026

Icosa, LLC ("Icosa") is committed to protecting the privacy and security of health information processed through our personality assessment platform. We treat assessment data as Protected Health Information (PHI) and maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and their implementing regulations.

1. Our Commitment

Icosa voluntarily applies HIPAA standards to all assessment data, even in contexts where HIPAA may not strictly require it. We believe that personality assessment data—which reveals intimate details of an individual's psychological structure—deserves the highest standard of protection. Every user benefits from HIPAA-grade safeguards, regardless of whether their assessment is administered through a healthcare provider.

2. Business Associate Agreements

Icosa offers Business Associate Agreements (BAAs) to all practitioner and organizational accounts that handle PHI. A BAA establishes the legal framework for HIPAA-compliant data sharing between Icosa and healthcare providers, counselors, and clinical organizations.

  • BAAs are required before any PHI is transmitted between a practitioner's systems and Icosa
  • Our standard BAA covers all assessment data processed through the platform
  • BAAs define permitted uses and disclosures, safeguard requirements, breach notification obligations, and termination provisions
  • To request a BAA, contact compliance@icosa.org

3. Protected Health Information

Icosa treats the following data as PHI:

  • Assessment responses and computed personality profiles
  • Narrative interpretations generated from assessment data
  • Longitudinal assessment history and developmental tracking data
  • Dyadic (couples) assessment data, including relational compatibility analyses
  • Any data linked to an identifiable individual that is created, received, maintained, or transmitted by Icosa in connection with assessment services

4. Technical Safeguards

Encryption

  • Data at rest: All PHI stored in our databases is encrypted using AES-256-GCM authenticated encryption
  • Data in transit: All communications between clients and servers use TLS 1.2 or higher for transport layer security
  • Encryption keys: Managed through secure key management practices with regular rotation schedules

Access Controls

  • Role-based access control (RBAC): System access is limited to the minimum necessary for each user role (consumer, practitioner, administrator)
  • Unique user identification: Every user has a unique identifier; no shared accounts are permitted
  • Automatic session termination: Inactive sessions are terminated after a defined period
  • Authentication: Passwordless authentication via secure magic links, eliminating password-related vulnerabilities

Audit Controls

  • All access to PHI is logged with timestamps, user identifiers, and action descriptions
  • Audit logs are tamper-resistant and retained for 7 years
  • Logs are reviewed regularly for unauthorized access patterns
  • HMAC-based integrity verification ensures audit log entries cannot be altered

Transmission Security

  • All API endpoints enforce HTTPS; unencrypted HTTP connections are rejected
  • All mobile application network requests enforce HTTPS with certificate validation
  • Strict Content Security Policies prevent data exfiltration

5. Administrative Safeguards

  • Security Officer: Icosa maintains designated personnel responsible for HIPAA compliance and incident response
  • Risk Analysis: We conduct regular risk assessments to identify and mitigate potential threats to PHI
  • Workforce Training: All employees and contractors with access to PHI complete HIPAA training upon hire and annually thereafter
  • Sanction Policy: Violations of HIPAA policies by workforce members result in disciplinary action
  • Contingency Planning: Disaster recovery and emergency access procedures ensure continuity of PHI protection

6. Physical Safeguards

Icosa's infrastructure is hosted on Amazon Web Services (AWS), which maintains:

  • SOC 2 Type II certification
  • Physical access controls including biometric authentication, 24/7 security monitoring, and multi-factor access to data centers
  • Environmental controls including fire suppression, climate management, and redundant power systems
  • HIPAA-eligible services with AWS's own BAA in place

7. Breach Notification

In the event of a breach of unsecured PHI, Icosa will:

  • Notify affected individuals without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach
  • Notify the U.S. Department of Health and Human Services (HHS) as required by the breach notification rule
  • For breaches affecting 500 or more individuals, notify prominent media outlets serving the affected jurisdiction
  • Provide written notice including a description of the breach, the types of information involved, steps individuals should take to protect themselves, what Icosa is doing to investigate and mitigate the breach, and contact information for further inquiries

8. De-Identification

When Icosa uses assessment data for research or service improvement, we apply de-identification methods consistent with the HIPAA Safe Harbor standard. De-identified data has all 18 categories of identifiers removed and cannot reasonably be used to identify an individual.

9. Minimum Necessary Standard

Icosa applies the HIPAA minimum necessary standard to all uses and disclosures of PHI. Access to PHI is limited to the minimum amount of information needed to accomplish the intended purpose. This applies to:

  • Internal access by Icosa personnel
  • Disclosures to practitioners through the platform
  • Any third-party service providers with access to PHI

10. Data Retention

Icosa retains clinical assessment records for 7 years from the date of assessment, consistent with clinical best practices and applicable state record retention requirements. This exceeds the HIPAA documentation retention requirement of 6 years (45 CFR 164.530(j)) and satisfies clinical record retention requirements in most US jurisdictions. Audit logs are retained for the same period. Upon expiration of the retention period, data is securely destroyed using methods that prevent recovery.

11. Patient Rights Under HIPAA

Individuals whose PHI is maintained by Icosa have the right to:

  • Access and obtain a copy of their PHI
  • Request amendments to their PHI
  • Receive an accounting of disclosures of their PHI
  • Request restrictions on certain uses and disclosures
  • Request confidential communications through alternative means or locations
  • Receive a copy of this notice of our privacy practices
  • File a complaint with Icosa or with the HHS Office for Civil Rights

12. Contact

For HIPAA-related inquiries, BAA requests, or to report a potential security concern, contact us at:

Icosa, LLC — Compliance
8 The Green, Suite A, Dover, DE 19901
Email: compliance@icosa.org

Related Policies

See also our Privacy Policy, Terms of Service, and GDPR Compliance pages.