Published for transparency while formal governance documents are prepared with counsel. There is no binding effective date until this banner is removed.
shteg.ai is a registered HIPAA clearinghouse operating under a Type-2 organizational NPI, which makes it a covered entity. This Notice of Privacy Practices is therefore framed to HIPAA obligations for protected health information (PHI), not to a general consumer-SaaS posture. As stated throughout this site, no real PHI has yet flowed through the system. This draft describes how PHI would be used and disclosed once live operation begins under executed Business Associate Agreements. It is scaffolding published for transparency and is not a binding notice — there is no effective date until the draft banner is removed and counsel has reviewed it.
As a clearinghouse, our core function is to receive, translate, validate, and route healthcare transactions — eligibility, claims, remittance, and status — on behalf of covered-entity customers under a Business Associate Agreement. In production, PHI would be processed only to perform those clearinghouse and settlement functions and the treatment, payment, and healthcare-operations activities they support. We do not sell PHI and do not use PHI for advertising. The system is built to the minimum-necessary principle, isolates PHI per tenant, records access in a hash-chained WORM audit ledger, and fails closed: any integration that would touch PHI without a BAA in place returns a typed refusal and makes no network call. Specific categories of use and disclosure will be enumerated in the binding version.
The finalized notice will describe the individual rights HIPAA guarantees: the right to inspect and obtain a copy of PHI held about you, to request an amendment, to receive an accounting of certain disclosures, to request restrictions on use and disclosure, to request confidential communications, to receive a paper or electronic copy of this notice, and to be notified following a breach of unsecured PHI. Because shteg.ai typically acts as a clearinghouse/business associate rather than the treating provider, many requests are directed to and coordinated with the covered-entity customer that holds the treatment relationship. The binding version will state exactly how each right is exercised and the timelines that apply.
In the event of a breach of unsecured PHI, the finalized notice will commit to the HIPAA Breach Notification Rule: notification of affected individuals and, as applicable, the covered entity, HHS, and the media, within the required timeframes. The hash-chained, append-only audit ledger is designed so that access and movement of PHI are tamper-evident, which supports detection and the accounting required after an incident. No breach has occurred because no real PHI has yet flowed; this section states intent, not history.
Because this is a draft, a direct answer is the most reliable one. For questions about PHI handling, this notice, or to raise a privacy concern, email us and a human will respond. When a finalized notice is published it will name a Privacy Officer and contact point. You have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, and we will not retaliate for the filing of a complaint.
Questions about this Notice of Privacy Practices, how PHI would be handled, or a privacy concern — send a note and a person will respond. No form that posts into a void.