HIPAA Compliance

1Introduction & Purpose

DosiPro ("Company," "we," "us," or "our") is deeply committed to maintaining the privacy and security of health information. While DosiPro is primarily an educational and training platform designed for medical dosimetry and radiation oncology professionals, we understand the critical importance of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

This policy outlines our standards, your responsibilities as a user, and our technical safeguards regarding the handling of Protected Health Information (PHI).

2Educational Platform Nature & Anonymization

• All DICOM datasets, CT scans, and structural data used within the platform (such as Anatomy IQ, Contour IQ, and PlanGamma IQ) are strictly pre-anonymized mock data or public-domain clinical trial data (e.g., from TCIA).
• If a user wishes to use custom scans for institutional training, the user assumes full responsibility for utilizing robust DICOM anonymization tools to strip all 18 HIPAA identifiers prior to upload.
• Any accidental upload of PHI will result in the immediate deletion of the violating dataset and potential suspension of the user's account.

3Business Associate Agreements (BAA)

Because DosiPro operates on anonymized case studies for training purposes rather than live clinical care, we generally do not act as a Business Associate and do not process PHI on your behalf.

However, for Enterprise and Institutional partners integrating DosiPro deeply into their residency programs or utilizing dedicated enterprise instances, DosiPro can enter into a Business Associate Agreement (BAA). Such agreements mandate strict, encrypted siloing of institutional educational data. To inquire about a BAA, please contact our privacy compliance team.

4Technical Safeguards & Security

Even in the absence of PHI, DosiPro employs enterprise-grade infrastructure to protect our users' training data, scores, and transcripts:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using modern TLS (Transport Layer Security).
• Encryption at Rest: All databases, saved lesson states, and user profile data are encrypted at rest using AES-256 encryption.
• Access Controls: Strict Role-Based Access Control (RBAC) ensures users, students, mentors, and administrators only have access to the data appropriate for their role.
• Audit Logging: Administrative actions, course completions, and dataset interactions are securely logged for compliance verification.

5Incident Response & Breach Notification

In the event of a security incident that compromises our systems, our incident response team will take immediate action to mitigate the risk. While DosiPro does not store PHI, if we reasonably suspect that an institutional user has inadvertently uploaded PHI and that data was leaked, we will comply with all breach notification requirements as stipulated by the HITECH Act, notifying the affected institution without unreasonable delay.