01 What we don't ask for, store, or process
The single most reliable HIPAA strategy is simply not handling PHI. Our product design enforces this:
- No patient identifiers — names, MRNs, dates of birth, addresses, phone numbers, email addresses of patients
- No clinical notes, lab values, imaging, or treatment records
- No insurance claims, billing data, or payer information
- No information about individual patient encounters, including de-identified case discussions that could realistically be re-identified
- No imports from EHR systems (Epic, Cerner, etc.)
The Terms of Service §2 prohibits posting PHI through the platform. Mentorship conversations are between healthcare professionals about their own careers, not their patients.
02 What we do collect
Our data minimization approach: collect only what's needed to make a good match and run the service. See our Privacy Policy for the full inventory. The high-level categories:
- Account & identity: name, email, role (mentor/mentee), career stage, specialty
- Professional profile: credentials, institution, training history, areas of mentorship interest, optional CV upload (your professional document, not patient data)
- Optional identity opt-ins: IMG status, first-generation, URM, language fluency — used for matching only when you explicitly enable them, governed by a per-user visibility setting
- Platform-generated: mentor-mentee match scores, message history between users, session counts
03 Acceptable use — for users
✓ Yes, this is fine
- "I'm working on a research project on hip-fracture outcomes."
- "I had a tough M&M last week — how do you handle bad outcomes emotionally?"
- "What did you do for your sub-I rotation in cardiology?"
- "My program director said X — is that a red flag?"
✗ Don't put this on the platform
- Patient names, MRNs, DOBs, or any other identifiers
- Specific case details that could re-identify a real patient
- Photos containing patient information (badges, charts, screens)
- Lab values, imaging, or notes copied from an EHR
If you're uncertain whether a clinical question crosses the line, abstract it. "I had a young patient with severe complications" is fine; "32-year-old [name] at [hospital] with..." is not.
04 Security posture
Even though we don't store PHI, healthcare professionals trust us with sensitive career and identity data. Our security controls reflect that:
- Encryption: TLS 1.2+ in transit; AES-256 at rest (Supabase + Netlify infrastructure)
- Authentication: Supabase auth with email confirmation; password hashing (bcrypt); session tokens stored in HttpOnly cookies
- Authorization: Row-Level Security (RLS) policies on every database table — users can only read/modify their own records, with explicit policies for matching and messaging visibility
- Identity privacy enforcement: Identity opt-ins (IMG status, URM, etc.) honor user visibility settings at the database view layer, not just in the UI
- Provider verification: Optional NPI verification against the public NPPES registry (provider name match only — see our published note that NPI itself is public information)
- Infrastructure: Hosted on Netlify (SOC 2 Type II) and Supabase (SOC 2 Type II, HIPAA-compliant tier available)
- Audit logging: Authentication events, profile changes, and admin actions are logged for security review
05 When a BAA is appropriate (and when it isn't)
A Business Associate Agreement under HIPAA is required when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity. By design, Continuum does none of those things in standard use. Most institutional pilots do not need a BAA — the platform sits next to clinical work, not inside it.
When a BAA might still be requested:
- Institutional procurement requires it as a default for any vendor used by clinical staff
- The institution intends to use the platform for activities that may incidentally generate PHI exposure
- Internal compliance policy makes a BAA the lower-friction path versus a custom risk assessment
In those cases, BAA execution and HIPAA-compliant infrastructure enablement (Supabase Team + HIPAA add-on) are part of the institutional onboarding process — not capabilities enabled in default production today. Reach out via BAA Request with your institutional details and we'll acknowledge within five business days with a current-status update.
06 Breach notification
If we become aware of a security incident affecting your account data, we will notify you by email within 72 hours of confirmation, with as much detail as we have at that time. This commitment applies to all users regardless of BAA status, and is more aggressive than HIPAA's strict 60-day timeline.
Suspected security issues? Email [email protected]. We acknowledge reports within one business day.
07 Limitations and honest caveats
- We are not SOC 2 audited as Continuum Health AI — our infrastructure providers are. SOC 2 Type I audit is on the roadmap for the year following our first paid institutional deal.
- We are not HITRUST-certified. HITRUST is a substantial multi-month investment we will pursue if institutional contracts justify it.
- We are not a covered entity, business associate, or subcontractor under HIPAA in our default operating mode. We become a business associate only when a signed BAA is in place.
- Our matching algorithm and platform code is JavaScript that runs in your browser. The algorithm itself is publicly inspectable — that's a feature for trust, not a vulnerability.
08 Contact
Institutional security review, BAA request, or compliance question?
- Security questions: [email protected]
- BAA request: /baa
- Privacy questions: [email protected]
- General: /contact