HIPAA Compliance
GlucoWorks LLC is committed to maintaining the highest standards of regulatory compliance and data protection across all of our products and services.
GlucoWorks operates as a Business Associate under HIPAA when processing Protected Health Information (PHI) on behalf of covered entities (healthcare providers). We maintain Business Associate Agreements (BAAs) with all covered entity partners and with our infrastructure subprocessors, including Google Cloud Platform.
Regulatory Status
DoseAdvisor has not been cleared or approved by the U.S. Food and Drug Administration (FDA) as a medical device. GlucoWorks is currently pursuing designation under the FDA's Clinical Decision Support (CDS) guidance pathway, which provides a framework for software functions that meet certain criteria to be exempt from device regulation under Section 3060 of the 21st Century Cures Act.
Until CDS designation or applicable regulatory clearance is obtained, DoseAdvisor is available only for use within the scope of authorized clinical investigations. DoseAdvisor should not be used as the sole basis for clinical decision-making outside of an approved trial protocol. Healthcare providers participating in authorized trials retain full clinical responsibility for all treatment decisions.
For questions about our regulatory pathway or clinical trial participation, contact legal@gluco-works.com.
Consumer Health Data Laws
GlucoWorks complies with state consumer health data privacy laws, including the Washington My Health My Data Act (MHMDA) and the Nevada Consumer Health Data Privacy Law. Our Consumer Health Data Privacy Policy details our obligations and your rights under these laws.
Infrastructure Security
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Google Cloud Platform infrastructure with BAA coverage
- Role-based access controls and audit logging
- Regular security assessments and penetration testing
Business Associate Agreement
GlucoWorks maintains Business Associate Agreements (BAAs) with all covered entity partners. Our BAAs comply with HIPAA requirements and detail our obligations regarding the use, disclosure, and safeguarding of Protected Health Information (PHI).
Security Safeguards
Technical Safeguards
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls
- Audit logging
- Vulnerability scanning
Administrative Safeguards
- Workforce training
- Security policies
- Incident response procedures
Physical Safeguards
- Google Cloud Platform data centers with SOC 2 certification
Breach Notification Procedures
In the event of a breach of unsecured PHI, GlucoWorks will notify the affected covered entity without unreasonable delay and no later than 60 days after discovery. We will cooperate with covered entities in their notification obligations to affected individuals and the HHS Secretary.
Workforce Training
All GlucoWorks employees and contractors with access to PHI complete HIPAA privacy and security training upon hire and annually thereafter.
Contact
For compliance inquiries, contact us at legal@gluco-works.com.