DATA PROTECTION ADDENDUM (ZERO-PHI)
Version 2.3.0 | Last Updated: June 23, 2026
This Data Protection Addendum ("DPA") is entered into between the Customer organization ("Customer") and Hospital Focus LLC ("Service Provider") and supplements the Terms of Service.
1. PURPOSE
This DPA establishes the parties' obligations regarding the protection of Customer data processed through the Hospital Focus CK platform. This DPA exists to memorialize both parties' commitment to data protection while acknowledging the platform's Zero-PHI architecture.
2. HIPAA BUSINESS ASSOCIATE STATUS — EXCLUSION
This DPA is expressly NOT a Business Associate Agreement ("BAA") as defined under 45 CFR 164.502(e) and 164.504(e). Service Provider does not meet the definition of a "Business Associate" under the HIPAA Privacy Rule because:
a) No Protected Health Information ("PHI") as defined under 45 CFR 160.103 is created, received, maintained, or transmitted by the Platform;
b) The Platform does not integrate with any Electronic Health Record (EHR), Health Information Exchange (HIE), Admissions/Discharge/Transfer (ADT), or clinical information system;
c) The Platform does not store, process, or access any of the 18 HIPAA identifiers;
d) The Platform operates exclusively with de-identified, aggregate financial and operational data.
3. ZERO-PHI ARCHITECTURE DECLARATION
Service Provider declares that the Hospital Focus CK platform:
a) Does NOT require, request, or accept Protected Health Information;
b) Is not designed to, and instructs users not to, submit patient names, medical record numbers, dates of service, diagnosis codes (ICD-10), procedure codes (CPT/HCPCS), or insurance identifiers; where such data is inadvertently entered in free-text fields, the incidental-PHI protocol in Section 6 applies;
c) Accepts ONLY: organization identifiers, user contact information, aggregate financial data (e.g., "Annual spend on gloves: $800,000"), vendor pricing, and contract terms;
d) Generates document exports (PDFs, strategy briefs) client-side in the user's browser, so that finished document files are not transmitted to or stored on Service Provider's servers in the ordinary course;
e) Masks all user interface text and input attributes in product analytics (PostHog) to prevent inadvertent capture.
4. OBLIGATIONS OF SERVICE PROVIDER
a) Data Scope. Service Provider shall process only the following categories of Customer data: organization name and profile, user contact information (name, email, title), aggregate financial data, vendor names and pricing, contract terms, project notes and decisions.
b) Security Safeguards. Service Provider shall implement and maintain administrative, physical, and technical safeguards including: encryption at rest (AES-256), encryption in transit (TLS 1.3), row-level security (tenant data isolation), role-based access controls, and regular security assessments.
c) Purpose Limitation. Service Provider shall not use or disclose Customer data for any purpose other than performing services under the Terms of Service.
d) Incident Notification. Service Provider shall notify Customer via email within 72 hours of confirming any security incident involving unauthorized access to Customer data.
e) Data Processing Records. Service Provider maintains records of data processing activities as required by applicable law.
5. OBLIGATIONS OF CUSTOMER
a) No PHI Input. Customer shall not input, upload, paste, or transmit any Protected Health Information into the Platform, including in free-text fields, project notes, or file uploads.
b) Inadvertent PHI Notification. If Customer becomes aware that PHI has been inadvertently entered into the Platform, Customer shall notify Service Provider immediately at security@hospitalfocus.net.
c) Compliance Responsibility. Customer is solely responsible for ensuring compliance with its own HIPAA policies, state privacy laws, and internal governance regarding data entered into third-party systems.
6. INCIDENTAL PHI DISCOVERY PROTOCOL
If Service Provider discovers data within the Platform that appears to constitute PHI:
a) Service Provider will immediately quarantine the affected data (restrict access);
b) Service Provider will notify Customer within 24 hours via the email address on file;
c) Service Provider will permanently delete the data within 48 hours of notification;
d) Service Provider will provide Customer with written confirmation of deletion;
e) Because Service Provider is not a Business Associate and does not maintain Protected Health Information under the architecture described in Sections 2 and 3, the parties do not anticipate that this protocol will trigger the breach-notification obligations of 45 CFR 164.400-414. Nothing in this Section relieves Customer of any breach analysis or notification obligation it may have as a Covered Entity under applicable law, and the parties will cooperate in good faith on any required assessment. This Section does not waive either party's rights or obligations under applicable law.
7. SUBPROCESSORS
Service Provider utilizes the following subprocessors:
- Supabase Inc. (database hosting, authentication) — SOC 2 Type II certified
- Vercel Inc. (application hosting, CDN) — SOC 2 Type II certified
- Resend Inc. (transactional email) — processes email addresses and notification content only
- PostHog Inc. (product analytics) — receives anonymized, masked usage data only
- Stripe Inc. (payment processing) — processes billing information; Service Provider never stores payment card data
- OpenRouter Inc. (AI-assisted content tailoring) — processes masked tenant profile metadata; operates under zero-retention / no-logging configuration
Service Provider will provide 30 days written notice before adding new subprocessors. Customer may object to a new subprocessor, and if the objection cannot be resolved, Customer may terminate the agreement.
8. DATA RETENTION & DELETION
a) Active Accounts. Customer data is retained for the duration of the subscription.
b) Termination. Upon termination, Service Provider will delete all Customer data from production systems within 30 days.
c) Backups. Backup copies are purged within 90 days of account termination.
d) Confirmation. Service Provider will provide written confirmation of data deletion upon Customer request.
9. TERM
This DPA is co-terminous with the Terms of Service. It automatically terminates when the service agreement ends.
10. LIMITATION
This DPA does not create a HIPAA Business Associate relationship. It exists solely to document data protection commitments appropriate to the nature of data processed. Nothing in this DPA shall be construed to impose HIPAA-level obligations on either party with respect to the Platform.
This document is accepted digitally during onboarding with SHA-256 cryptographic verification. Questions? Contact security@hospitalfocus.net.