SmartAlex HIPAA and Protected Health Information Notice
1. Purpose and scope
This HIPAA and Protected Health Information Notice (the "Notice") is issued by THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", "our"), which operates the SmartAlex platform, websites, applications, and APIs (the "Services").
This Notice explains how SmartAlex approaches Protected Health Information under the US Health Insurance Portability and Accountability Act, states our current position honestly, and describes the direction we intend to take. It applies to all customers and users of the Services who are, or may become, subject to HIPAA.
It should be read together with our Trust and Security Overview, our Data Processing Addendum, our Acceptable Use Policy, and our Data Retention and Deletion Policy.
2. Definitions
- HIPAA means the US Health Insurance Portability and Accountability Act of 1996 and the regulations issued under it, including the Privacy, Security, and Breach Notification Rules, each as amended from time to time.
- PHI means Protected Health Information as defined by HIPAA.
- Covered Entity and Business Associate each have the meanings given to them by HIPAA.
- BAA means a Business Associate Agreement as contemplated by HIPAA.
3. Current position
SmartAlex wants to be clear and honest about where the Services stand today:
- SmartAlex does not currently hold a HIPAA attestation, and the Services are not currently offered as HIPAA-eligible.
- SmartAlex does not currently offer a signed BAA.
- Customers must not use the Services to create, receive, maintain, or transmit PHI unless and until they have entered into a BAA with SmartAlex.
- Until a BAA is in place, the Services are not to be used with PHI in any form.
Nothing in this Notice should be read as a statement that any Service is presently HIPAA-compliant or HIPAA-eligible.
4. No PHI without a BAA
The rule is straightforward. If a customer is a Covered Entity or a Business Associate under HIPAA, it must not disclose PHI to SmartAlex, or configure the Services to process PHI, without first executing a BAA with SmartAlex.
If PHI is inadvertently disclosed to SmartAlex before a BAA is in place, the parties will work together in good faith to return or securely destroy that information, and the customer will promptly cease sending any further PHI until a BAA is executed. Use of the Services with PHI absent a BAA is a prohibited use under our Acceptable Use Policy.
5. Our direction
SmartAlex intends to make certain Services HIPAA-eligible and to offer a BAA to customers who require one. This intention is supported by the security controls described in our Trust and Security Overview and by putting appropriate agreements in place with the subprocessors set out in our Subprocessor List.
This is a program that is in progress. It requires the underlying technical and organisational controls to be implemented and independently validated, and it requires legal sign-off before any BAA can be offered. We are working toward it deliberately rather than claiming it prematurely.
- Where and when specific Services become HIPAA-eligible, and a BAA is available, this Notice and the relevant order documentation will say so expressly.
- Until then, no Service should be treated as HIPAA-eligible, regardless of any general description of our security posture.
- Nothing in this Notice is a representation, warranty, or commitment that any Service is currently HIPAA-eligible or that a BAA is currently available.
6. Customer responsibility
Each customer remains responsible for its own compliance with HIPAA. In particular, the customer is responsible for:
- determining whether its use of the Services involves PHI;
- configuring and using the Services appropriately for its own regulatory obligations;
- not creating, receiving, maintaining, or transmitting PHI through the Services in the absence of a signed BAA; and
- ensuring that its own personnel and downstream users comply with these requirements.
7. Supporting safeguards
SmartAlex maintains security safeguards as described in our Trust and Security Overview, and applies the retention and deletion approach described in our Data Retention and Deletion Policy. The third parties that support the Services are identified in our Subprocessor List.
These safeguards form part of the foundation on which HIPAA eligibility can be built, but they are described here for transparency only. Their existence does not, on its own, make any Service HIPAA-eligible, and they should not be relied upon as evidence of present HIPAA compliance.
8. Relationship to other documents
This Notice supplements, and does not replace, the other terms that govern the Services, including our Data Processing Addendum and our Acceptable Use Policy. If and when a BAA is executed between a customer and SmartAlex, the terms of that BAA will govern the handling of PHI and will take precedence over this Notice to the extent of any conflict in respect of PHI. In all other respects, if there is a conflict, the customer's master agreement with SmartAlex controls.
9. Updates and contact
We may update this Notice from time to time, including as specific Services become HIPAA-eligible and a BAA is made available. Material changes will be reflected in the version and effective date below.
Questions about this Notice, or about the availability of a BAA, can be sent to legal@getsmartalex.com. Security matters, including any suspected inadvertent disclosure of PHI, should be reported to security@getsmartalex.com.
This Notice is issued by THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, and is governed by the laws of the Republic of Singapore.
10. Version and effective date
This HIPAA and Protected Health Information Notice is version 1.0 and is effective from 8 July 2026.