HIPAA Compliance

Understanding Genosm's privacy-first architecture and HIPAA alignment

Overview

Genosm is built with a privacy-first, local-only architecture that aligns with HIPAA's technical safeguard requirements. All patient health information (PHI) remains on your device and under your direct control.

Important: While Genosm's technical architecture supports HIPAA compliance, full HIPAA compliance requires organizational policies, workforce training, and administrative safeguards beyond what any software alone can provide. We recommend consulting your organization's compliance officer.

Key Privacy Principles

  • Local-First Storage: All PHI stored exclusively in browser and local file system
  • No Cloud Storage: Genosm does not provide cloud storage or sync services
  • Client-Side Anonymization: AI features use client-side anonymization before any data transmission
  • User Control: You maintain complete control over your data at all times

Privacy Architecture

Genosm's architecture is designed from the ground up to keep sensitive patient data local and secure.

Data Storage Layers

1. Browser Storage (Primary)

All genogram data is stored in your browser's IndexedDB, a secure client-side database that:

  • Stores data exclusively on your device
  • Is isolated to your browser and domain
  • Persists data across browser sessions
  • Subject to browser security controls

2. Local File System (Optional Backup)

You can optionally connect a local folder for automatic backups:

  • You choose the backup folder location
  • Genosm writes backup files directly to your local file system
  • You maintain full control over backup location and security

3. No Cloud Storage by Genosm

Genosm does not provide cloud storage or sync services. All data remains local.

Technical Safeguards (§164.312)

HIPAA's Technical Safeguards require mechanisms to protect ePHI and control access. Here's how Genosm aligns:

HIPAA Requirement Genosm Implementation
Access Control (§164.312(a)(1)) Data stored locally in browser, protected by device-level access controls.
Audit Controls (§164.312(b)) Browser console logs for debugging. Organizations should implement their own audit logging.
Integrity (§164.312(c)(1)) JSON validation ensures data integrity. Checksums used for data validation.
Transmission Security (§164.312(e)(1)) HTTPS/TLS encryption for all web traffic. PHI is not transmitted except anonymized AI requests.

Data Handling Practices

What Data is Stored Locally

  • Genogram structure (people, relationships, connections)
  • Person details (names, ages, health conditions, notes)
  • Clinical patterns and custom patterns you create
  • Application preferences and settings

What Data is Never Transmitted

  • Patient names (unless you use AI features - see AI Privacy section)
  • Health conditions or medical information
  • Clinical notes or observations
  • Complete genogram structures

Zero Server Storage: Genosm servers do not store, log, or retain any patient health information. Our servers only handle authentication and anonymized AI processing requests.

AI Privacy & Anonymization

When you use AI features, Genosm employs client-side anonymization to protect patient privacy.

How AI Anonymization Works

  1. 1.

    Detection

    Genosm scans your text for potential personally identifiable information (PII)

  2. 2.

    Replacement

    Names are replaced with generic placeholders (e.g., "John" → "Person1")

  3. 3.

    Transmission

    Only the anonymized text is sent to AI servers over encrypted HTTPS

  4. 4.

    De-anonymization

    When results return, placeholders are replaced with original names - entirely client-side

User Responsibility: While Genosm anonymizes data automatically, using AI features involves sending information to external servers. You can always use Genosm without AI features for complete local-only operation.

Recommendations for HIPAA Compliance

✓ Use Device Encryption

Enable full-disk encryption on devices running Genosm (BitLocker for Windows, FileVault for Mac).

✓ Implement Access Controls

Require password/biometric authentication on devices. Use screen lock when stepping away.

✓ Secure Backups Properly

If using local folder backup, ensure the folder is encrypted and access-controlled.

✓ Train Your Workforce

Provide training on proper use of Genosm, data privacy, and your organization's HIPAA policies.

✓ Consult Your Compliance Officer

Work with your organization's Privacy Officer to review Genosm's use within your specific environment.

Questions or Concerns?

We take privacy seriously and are committed to transparency about our data practices.

✉️

Contact Our Privacy Team

hello@genosm.com

We typically respond within 1-2 business days. For BAA inquiries, please include your organization name.

Last updated: December 2025

Privacy Policy Home Launch App