JLK logo JLK logo

LEADING THE AI INDUSTRY
WITH DATA & TECHNOLOGY

HIPAA Privacy Notice

Effective Date: December 26, 2025

This HIPAA Privacy Notice supplements the JLK, Inc. Privacy Policy and applies solely to the Protected Health Information (PHI) we create, receive, maintain, or transmit on behalf of healthcare providers ("Covered Entities") in connection with our AI-based medical image analysis services.

1. Our Role: Business Associate

Under the Health Insurance Portability and Accountability Act (HIPAA), JLK, Inc. acts as a "Business Associate." This means we process PHI exclusively at the direction of our clients (hospitals and clinics), who are the "Covered Entities." Our use and disclosure of PHI are governed by the Business Associate Agreement (BAA) entered into with each client, not by our standard Privacy Policy.

2. PHI We Process

In the course of providing our services, we process the following types of PHI:

  • Medical Imaging Data: Diagnostic images (e.g., CT, MRI, X-ray) in DICOM format.
  • Clinical Metadata: Patient ID, age, gender, and study descriptions necessary for accurate AI analysis.

We do not collect PHI directly from patients. All PHI is securely transmitted to us by the Covered Entity.

3. Permitted Uses and Disclosures

We use PHI strictly as permitted by HIPAA and our BAA:

  • Service Provision: To analyze medical images and return diagnostic support results to the healthcare provider.
  • Operations: For internal system maintenance, security management, and quality assurance.
  • De-identification: We may de-identify PHI in accordance with 45 C.F.R. § 164.514(b). Once data is fully de-identified, it is no longer considered PHI and may be used for AI algorithm training and product improvement.

We do not sell PHI and do not disclose PHI to third parties for their own marketing purposes.

4. HIPAA Security Measures

We implement specific safeguards required by the HIPAA Security Rule to protect PHI:

  • Encryption: PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access Control: Access to PHI is restricted to authorized personnel using Multi-Factor Authentication (MFA).
  • Audit Trails: We maintain comprehensive logs of all system access and data processing activities.

5. Patient Rights

As a Business Associate, JLK does not have a direct relationship with patients. If you are a patient and wish to exercise your rights under HIPAA (such as accessing your medical records or requesting amendments), please contact your healthcare provider (the hospital or clinic) directly. We will cooperate with your provider to fulfill such requests as required by our agreement.

6. Data Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and in accordance with the timelines specified in our BAA and applicable law (no later than 60 days). The Covered Entity is responsible for notifying affected individuals and regulatory bodies.