Security & data practices

HIPAA-aligned, even though HIPAA doesn’t strictly apply.

Ternary Health is not a HIPAA-covered entity — we are not a health care provider, insurer, or clearinghouse. We nonetheless operate under HIPAA-aligned practices because the sensitivity of the information our clients share warrants that standard of care.

The framing

Your trust, engineered.

Medical information is among the most sensitive data you can share. A firm that takes that information casually does not deserve access to it. We have designed Ternary Health’s systems and workflows around that principle — not as a marketing claim, but as an engineering discipline.

The practices below are our current baseline. They will evolve as we grow. Material changes are reflected in this page and, for active clients, communicated by email.

Our practices

Eight disciplines, in plain language.

Encryption

All site traffic uses TLS 1.2+ (HTTPS). Data at rest is encrypted by our hosting and email providers using industry-standard AES-256 or equivalent. No application data is stored unencrypted at any stage of our pipeline.

Minimum necessary collection

The public application form is deliberately bounded. We collect only what we need to evaluate fit — not detailed medical records, not insurance data, not payment information. Medical records are requested only after acceptance, through a separate secure intake flow.

Access discipline

Application and engagement records are accessible to the firm's principals (Beau Giannini, PhD and Pavel Paramonov, PhD) and — when an engagement is active — to a small number of named analysts under written confidentiality obligations. No vendor, marketing provider, or analytics platform has access. We do not use any.

Vendor BAAs where available

For each service provider in our pipeline, we pursue Business Associate Agreements or equivalent contractual safeguards where the provider supports them. Providers that cannot offer appropriate protection are not used for information that could be linked to a specific individual and a health condition.

Network segmentation

The public website, the application endpoint, and the engagement-intake infrastructure are separate systems with distinct access controls. Application data does not commingle with engagement records; engagement records do not commingle across clients.

Retention limits

Applications that do not result in an engagement are retained for no more than 12 months, then deleted. Engagement records are retained per the terms of the signed engagement letter. Aggregated, de-identified pattern data derived from engagements may be retained longer for methodological improvement.

Audit logging

Our case database maintains a tamper-evident audit log of every access and modification — who, what, when — for all records containing client information. Logs are reviewed periodically and retained for seven years.

Incident response

If we detect or are informed of a security incident affecting client information, we investigate within one business day, contain the issue, and notify affected clients promptly with a full account of what happened and what we are doing about it.

Where we’re explicit about what we don’t do

Transparency includes the absences.

—We do not use web analytics, session-replay, or advertising tracking on this site. No Google Analytics, no Meta pixel, no session recording.
—We do not sell or trade client data. Ever.
—We do not use client records to train public AI models, nor to advertise or market to third parties.
—We do not publish individual case studies without explicit written consent. The sample reports on this site are synthetic composites.
—We do not disclose client information in response to third-party requests except as required by valid legal process, and — where permitted — we notify the client first.

Reporting a concern

If something looks wrong, tell us.

Security or privacy concerns — about your own data or about a potential issue you’ve noticed — should be sent to beau@ternaryi.com with “Security” in the subject line. We investigate every report and respond within one business day.

HIPAA posture — a careful claim

We do not say “HIPAA compliant.” Here’s why.

HIPAA regulates covered entities — health plans, healthcare clearinghouses, and providers who transmit health information electronically for specific covered transactions — and their business associates. Ternary Health is none of those. We are a private research firm; clients pay us directly, out of pocket, and we do not conduct HIPAA transactions with insurers.

The phrase “HIPAA compliant” has no legal meaning outside of that covered-entity relationship. Companies that use the label as a marketing claim, without the context, are often technically overclaiming. We do not.

What we do claim is that we maintain HIPAA-aligned practices — we follow HIPAA-grade administrative, physical, and technical safeguards even though we are not legally required to. We believe this is the right standard of care for the sensitivity of the information our clients share, and we hold ourselves to it transparently.

Other laws that do legally apply to our handling of information include the FTC Act, the FTC Health Breach Notification Rule, state breach-notification laws, the Washington My Health My Data Act, the California Confidentiality of Medical Information Act, and the comprehensive privacy laws of several states. Our practices are designed to satisfy those obligations as well.

Ready to start?

Applications are reviewed within three business days.

Apply for a Case Review Read the Privacy Policy