HIPAA Notice

LittleClouds is a practice management platform used by licensed and certified lactation consultants to run their clinical practices. This page explains our posture toward the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), what we do to support the practices we serve, and where to go with questions.

Our role: Business Associate

Under HIPAA, a “Covered Entity” is a healthcare provider, health plan, or healthcare clearinghouse. Most lactation consultants who bill insurance, or who otherwise transmit health information electronically in connection with certain transactions, are Covered Entities. A “Business Associate” is a vendor that handles Protected Health Information (“PHI”) on behalf of a Covered Entity.

LittleClouds acts as a Business Associateto the Providers who use our platform. We offer a Business Associate Agreement (“BAA”) that takes effect automatically when a Provider creates an account, and we also make the full BAA text available for review. A signed BAA is how HIPAA expects Covered Entities and their vendors to agree on how PHI will be handled.

What we do to support HIPAA compliance

Compliance is a shared responsibility. These are the practices LittleClouds brings to the partnership:

• Access isolation.Row-level security in our database enforces that each Provider only sees their own practice's records, and each family only sees their own records.
• Encryption in transit. All connections to the Services use TLS.
• Encryption at rest. Production databases and file storage are encrypted at rest through our infrastructure providers.
• Audit logging. Access to records is recorded in an immutable audit log available on request through your account team.
• HIPAA-eligible infrastructure. Our hosting, database, authentication, and payment subprocessors are contracted under BAAs where they handle PHI. See the subprocessor list.
• Least-privilege workforce access. LittleClouds staff access PHI only when strictly necessary to operate, troubleshoot, or secure the Services, and only the minimum needed for the task. Access is revoked promptly at offboarding.
• No secondary use of PHI. We do not sell PHI. We do not use PHI for advertising. We do not use PHI to train generalized machine-learning or artificial-intelligence models.
• Breach notification. If a breach of Unsecured PHI occurs, we will notify affected Providers without unreasonable delay and within the timeframes required by HIPAA and our BAA, cooperating with their downstream notification obligations to Individuals and the Secretary.

What we do not claim

HIPAA has no official certification body, and any vendor claiming to be “HIPAA certified” is overstating. LittleClouds is an early-stage product; we do not hold SOC 2, HITRUST, or ISO 27001 certifications in our own name, and we do not claim to. What we offer is: a signed BAA, reasonable administrative, physical, and technical safeguards aligned with the HIPAA Security Rule, and an honest roadmap for the controls we are still maturing.

If a formal third-party certification is a hard requirement for your practice, please reach out before signing up so we can be upfront about where we are.

Your rights under HIPAA

HIPAA gives patients specific rights with respect to their health information. These rights are held against the Provider (“Covered Entity”) who treats you:

• Access. The right to see and receive a copy of your health record, in most cases within 30 days.
• Amendment. The right to ask your Provider to correct information you believe is incorrect or incomplete.
• Accounting of disclosures. The right to request a list of certain disclosures of your PHI.
• Restriction. The right to request limits on the information used or shared to carry out treatment, payment, or health care operations.
• Confidential communications. The right to request that the Provider contact you by specific means or at a specific location.
• Notice of Privacy Practices.The right to receive a copy of your Provider's Notice of Privacy Practices, which describes how they use and share your information.
• Complaints. The right to complain to your Provider and to the U.S. Department of Health and Human Services Office for Civil Rights without retaliation.

To exercise these rights, please contact the Provider who treated you. LittleClouds, as the Business Associate, will support the Provider in responding. We cannot modify or release your record without your Provider's direction.

For families and patients

If you are using LittleClouds because your lactation consultant invited you to a client portal, please reach out to your Provider for:

• Access to, or a copy of, your health record;
• Corrections to your record;
• Questions about how your information is used or shared;
• Your Provider's Notice of Privacy Practices.

If you cannot reach your Provider, or you have a concern about LittleClouds specifically (for example, a suspected security issue), contact us at privacy@littleclouds.app. For concerns about a Provider's HIPAA compliance generally, you may also contact the Office for Civil Rights at hhs.gov/ocr/complaints.

For Providers

If you are a Provider evaluating LittleClouds, or an existing customer who needs compliance documentation, we can make the following available on request:

• Executed Business Associate Agreement.
• Subprocessor list and their compliance documentation.
• Summary of administrative, physical, and technical safeguards.
• Support for patient access, amendment, and accounting-of-disclosure requests originated by your practice.

Email legal@littleclouds.app to request any of the above.

Security concerns

To report a suspected security vulnerability or incident, please email security@littleclouds.app. We appreciate responsible disclosure and will work with you to understand and address the issue promptly.

Contact

[LEGAL ENTITY NAME]
Attn: Privacy Officer
[BUSINESS ADDRESS]
Email: privacy@littleclouds.app