Skip to main content
“Integrity in all we do” — Conceptual Healthcare Corporation®⚕ World's First Health-Native Commodity Exchange  ·  HIPAA Compliant  ·  IRS 1099-B Ready  ·  21B HC Hard Cap
HC.exchange
Health Commodity Exchange™
Offline
24h Volume$0.00
Active Pairs0
24h Trades0
HC Supply21B
HC / HCC⚕1.000.00%
← Back to Exchange
HC.exchange

HIPAA Notice

Notice of Privacy Practices

Effective Date: January 1, 2026  ·  Required by 45 CFR Parts 160 and 164

Key Fact: HC.exchange does not store or process Protected Health Information (PHI). Health activity records that generate HealthCoin (HC) are maintained exclusively in the Guardian Orb™ HIPAA-covered system. This notice explains how PHI is protected across the CHC ecosystem and your rights under HIPAA.

1. Regulatory Basis

This Notice is provided pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, as implemented at 45 CFR §§ 160 & 164. Conceptual Healthcare Corporation (CHC) acts as both a Covered Entity (through its Guardian Orb™ health platform) and, where applicable, a Business Associate in connection with HC.exchange.

2. PHI Scope — What the Exchange Does and Does Not Hold

HC.exchange does not receive, transmit, store, or process PHI. The architecture is intentionally designed to create a strict separation:

  • Health activity data (steps, clinical visits, lab results, wellness metrics) is recorded and processed exclusively within the Guardian Orb™ HIPAA-covered health platform.
  • Only the resulting HC token balance (a numeric value with no clinical meaning) is transmitted to HC.exchange via a secure API call.
  • No diagnoses, medication records, lab results, clinical notes, or biometric health identifiers are ever transmitted to or stored on the exchange platform.
  • Your HC.exchange trading account is logically and technically separate from your Guardian Orb™ health record.
3. Business Associate Status

HC.exchange operates under a Business Associate Agreement (BAA) with Conceptual Healthcare Corporation as the Covered Entity, as required under 45 CFR § 164.308(b). Any third-party service providers who may incidentally process CHC data also operate under BAAs. CHC maintains a current inventory of all Business Associate relationships.

4. Technical and Administrative Safeguards

CHC implements the following safeguards across the exchange and Guardian Orb™ ecosystem, in compliance with the HIPAA Security Rule 45 CFR § 164.312:

  • Encryption: AES-256-GCM encryption for all data at rest; TLS 1.3 for all data in transit.
  • Access Controls: Role-based access control (RBAC) with minimum necessary access principles; multi-factor authentication (MFA) required for all administrative access.
  • Audit Logging: HMAC-SHA256 chain-signed audit logs capturing all access to health-adjacent systems, with tamper-evident integrity verification.
  • Automatic Session Timeout: 5-minute session timeout with re-authentication required for sensitive operations.
  • Workforce Training: Annual HIPAA training required for all CHC personnel with access to health systems.
  • Physical Safeguards: Cloud infrastructure hosted in HIPAA-eligible environments with physical security controls and business continuity provisions.
5. Breach Notification

In the event of a breach involving PHI, CHC will comply with HITECH breach notification requirements 45 CFR §§ 164.400–414:

  • Affected individuals will be notified within 60 days of discovery of a breach via first-class mail (or email if consented).
  • HHS (Department of Health and Human Services) will be notified within 60 days. Breaches affecting 500 or more individuals will be reported to HHS immediately and to prominent media outlets in affected states.
  • Notification will include: nature of the breach, types of information involved, steps taken to mitigate harm, and contact information for questions.
6. Your HIPAA Rights (Guardian Orb™ Health Records)

With respect to health records maintained in the Guardian Orb™ system (which are separate from your exchange account), you have the following rights under HIPAA:

  • Right to Access: Obtain a copy of your health records within 30 days of request.
  • Right to Amend: Request amendment of inaccurate or incomplete records.
  • Right to Accounting of Disclosures: Obtain a record of certain disclosures of your PHI.
  • Right to Restrict Disclosures: Request restrictions on certain uses and disclosures of your PHI.
  • Right to File a Complaint: File a complaint with CHC's Privacy Officer or directly with HHS at hhs.gov/hipaa/filing-a-complaint if you believe your rights have been violated. CHC will not retaliate against you for filing a complaint.
7. Changes to This Notice

CHC reserves the right to change this Notice at any time. The revised Notice will be posted on HC.exchange with the updated effective date and will apply to PHI we maintain going forward. We will notify affected individuals of material changes by email.

HIPAA Privacy Officer

Conceptual Healthcare Corporation  ·  Destin, Florida
hipaa@conceptualhealth.com  |  (850) 963-0002