Professional Security & Compliance

Patient data security is the top priority. Twin Tip Solutions maintains strong security practices and compliance measures for healthcare organizations.

Why HIPAA Alignment Matters

While our apps don't collect traditional patient identifiers like names or specific locations, HIPAA alignment is still critical for protecting patient privacy:

  • Biometric Data: Facial photos are considered biometric identifiers under HIPAA, requiring special protection even without names attached.
  • Clinic Association: Your custom-branded app inherently links patients to your specific clinic, creating an indirect identifier.
  • Anonymous Design: Every user account is created with anonymous identifiers, but the combination of photo data and clinic association still requires HIPAA-level protection.
  • Optional Patient Outreach: PDF reports submitted to clinics can include patient name and phone number when explicitly provided. This data is stored encrypted in our database, enabling follow-up care while maintaining consent-based data sharing.

This is why we've built our entire platform with HIPAA alignment from day one.

HIPAA-Aligned

HIPAA alignment is taken seriously. The platform is designed with healthcare privacy regulations in mind, implementing security measures that align with HIPAA standards.

  • Business Associate Agreement (BAA)

    Standard BAA included with all plans

  • Security Assessments

    Regular security reviews and assessments

  • Security Best Practices

    Following industry security standards and best practices

  • Transparent Communication

    Direct communication about any security matters

HIPAA-Aligned Approach

A practical approach to security that aligns with HIPAA principles:

  • Minimal Data Collection: Data is only processed when explicitly requested by users
  • Device-Based Storage: Patient data stays on their devices, not in the cloud
  • No Cloud Storage: For cloud processing there is NO storage - data exists only during AI processing then vanishes completely
  • Encryption First: All data is encrypted both at rest and in transit
  • Direct Support: Personal attention to any security concerns from the founder

Security Architecture

Security Architecture Diagram

Full SHA-256 Key derivation method intentionally omitted.

Multi-Layer Encryption

AES-256-GCM encryption at rest and in transit, plus TLS. Double encryption until Cloud Function decryption for AI processing.

Device-Based Storage

Patient data stays on the device. Photos and analysis results cannot be accessed by Twin Tip Solutions.

Biometric Authentication

Face ID required for app access, adding an extra layer of security.

Defense in Depth: Every Layer Matters

While the platform implements sophisticated HIPAA-aligned security measures, I believe in defense at every level. Research shows that over 90% of cyberattacks exploit basic vulnerabilities rather than advanced technical systems.

Founder's Security Practices

As the founder and sole developer, I personally use these security tools to ensure platform integrity:

Network Security

  • ProtonVPN: All development and administrative work conducted through encrypted VPN connections
  • Secure DNS: Protection against DNS hijacking and phishing attempts

Access Management

  • Password Manager: Unique, complex passwords for every service
  • 2FA Everything: Multi-factor authentication on all accounts

Browser Security

  • Mozilla Firefox: Privacy-focused browser with enhanced tracking protection
  • Regular Updates: All software kept current with security patches

Operational Security

  • Zero Trust: Verify everything, trust nothing
  • Phishing Awareness: Continuous vigilance against social engineering

Security is a mindset, not just technology. While our technical infrastructure provides robust protection, we maintain security hygiene at every level - from encrypted communications to comprehensive access management.

How Data Is Handled

Normal App Usage

All data is stored encrypted on your device. When you request an analysis, photos are sent to secure cloud infrastructure with double encryption for AI processing. There is NO storage during cloud processing - data exists only momentarily for analysis then vanishes.

  • All data stored encrypted on your device
  • No cloud storage - processing happens without any data persistence
  • Double encryption during transmission

When Patient Data IS Stored

Patient data is ONLY stored in our database with double encryption in these specific cases:

1. When Patients Send Analysis to Your Clinic

When patients choose to share results with your clinic, the data is stored with double encryption in our secure database.

  • Requires explicit user consent
  • Double encryption at rest
  • HIPAA-aligned secure storage

2. Hallucination Reporting

When users report AI errors, data is stored for compliance and improvement:

  • Google Play Store compliance
  • Legal safeguards and liability protection
  • Improving AI model accuracy

Twin Tip Solutions is HIPAA-aligned in security practices, focusing on protecting patient privacy through device-based storage and minimal data collection.

How Patient PHI is Handled

When Patients Keep Results Private

When patients choose not to send results to your clinic:

  • PHI stays strictly on patient's device
  • All data encrypted locally using AES-256
  • Face ID required for access
  • No external access possible
  • Complete privacy control

When Patients Send to Your Clinic

When patients choose to share results with your clinic:

  • PHI encrypted in our secure database
  • HIPAA-aligned cloud infrastructure
  • Signed BAA with Google Cloud
  • Access limited to your authorized staff
  • Full audit trail maintained

Patients always control when and how their health information is shared. The choice to send results to your clinic is always explicit and requires patient consent.

How Our Mobile Apps Protect Patient Data

Patient Data Stays on Their Device

  • On-Device Storage

    All patient photos and analysis results stay on their phones

  • Face ID Protection

    Only patients can access their app with biometric authentication

  • Local Encryption

    Patient data is encrypted on their device using military-grade encryption

  • Patients Control Their Data

    Patients can delete their data anytime - it can't be accessed externally

AI Processing Security

  • Temporary Processing Only

    Photos sent for AI analysis are deleted immediately after

  • Double Encryption

    Patient data is encrypted twice during transmission

  • Mostly Anonymous Processing

    AI analysis happens without names or locations, though facial photos are biometric identifiers

  • Secure Cloud Infrastructure with BAA

    Google Cloud's enterprise-grade security with signed Business Associate Agreement (BAA) for HIPAA alignment

Simple Privacy Promise

Patient health data belongs to them. It can't be seen, stored, or shared by Twin Tip Solutions. Everything stays encrypted on patient phones where only they can access it.

Medical Advice Disclaimer & Regulatory Status

Important Medical Disclaimer

  • Not Medical Advice: This app provides educational information only and does not provide medical diagnoses, treatment recommendations, or medical advice.
  • Not FDA Approved: This software has not been evaluated or approved by the FDA as a medical device.
  • Always Consult Professionals: Users should always consult with qualified healthcare providers for medical concerns.

Understanding Software as a Medical Device (SaMD)

Why General AI Tools (like ChatGPT) Are Not Medical Devices:

  • General purpose tools not specifically intended for medical use
  • No specific medical claims or diagnostic capabilities
  • Users apply them for various non-medical purposes

Why Specialized Health Apps Could Be Considered Medical Devices:

  • Specifically designed and marketed for health/medical purposes
  • Analyze medical images or patient-specific data
  • Could influence clinical decision-making if they provided diagnoses

How Our App Empowers Without Diagnosing

Instead of making medical recommendations, our app empowers users by:

  • Providing Educational Context: Helps users understand general information about skin conditions
  • Generating Informed Questions: Creates specific, detailed questions users can ask their healthcare providers
  • Documenting Changes: Helps track skin changes over time for discussion with providers
  • Facilitating Communication: Bridges the gap between appointments with organized information

By focusing on education and communication rather than diagnosis or treatment, we help users become more informed participants in their healthcare journey while maintaining clear boundaries about the app's role.

Trust Through Transparency

Trust is earned through transparency. All security practices are open for review, and questions are always welcome.

Have Questions?

Email us at reid@twintipsolutions.com for any security-related questions or concerns.