Last reviewed: April 2026
The Health Insurance Portability and Accountability Act (HIPAA) applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — and their "business associates."
Arkoura is not a covered entity. It is a personal health journal tool — not a healthcare provider, health plan, or clearinghouse. Arkoura does not create, receive, maintain, or transmit Protected Health Information (PHI) as defined by HIPAA on behalf of a covered entity.
US users should understand that data stored in Arkoura is not protected under HIPAA. Arkoura is not a substitute for HIPAA-compliant electronic health record systems.
Although not legally required to do so, Arkoura voluntarily aligns with HIPAA's safeguard principles because we believe they represent best practice for any platform handling health-related information.
Access controls: unique user authentication via Firebase, Firestore rules enforce per-user data isolation.
Audit controls: immutable audit log records all access events, modifications, and deletions.
Integrity controls: Firestore transactions and GCS object versioning protect data integrity.
Transmission security: TLS 1.3 for all data in transit.
Document de-identification: in alignment with HIPAA's "minimum necessary" standard, uploaded health documents are automatically de-identified using Google Cloud Data Loss Prevention (DLP) before being transmitted to our AI system for analysis. PHI such as names, dates of birth, addresses, and record numbers are removed from document content before it leaves the platform's secure processing environment.
Access management: minimum necessary access principle applied — each component accesses only the data it requires.
Security incident response: defined process for detecting and responding to security incidents.
Evaluation: periodic review of security controls.
Workstation and device controls: infrastructure hosted on GCP data centers with physical security certifications (ISO 27001, SOC 2).
Media controls: GCS handles secure storage and disposal of storage media.
Information you enter in Arkoura is your personal health journal — not a clinical record protected under HIPAA.
If you share AI Insight access with a healthcare provider, they should treat the information as patient self-reported context, not as a HIPAA-covered record.
For questions: legal@arkoura.com