HIPAA Compliance — Beverly Index LLC

Effective Date: March 15, 2026

1. Scope

This document describes how Beverly Index LLC protects Protected Health Information (PHI) processed through the NOUS Cognitive Intelligence Platform. These safeguards apply to all clinical assessments conducted through the CI, CSAA, VOCA, and RTCA pathways.

Public Demos Are NOT Clinical

The public DreamWeaver, Memoria Sonata, and Empyrean demos on beverlyindex.com do NOT collect, store, or process PHI. All demo narrative processing is ephemeral — narratives are analyzed in real-time and immediately discarded. No clinical assessment is performed through public demos. Full diagnostic capability requires an authenticated CNAP practitioner account with HIPAA-compliant session management.

2. Technical Safeguards

Encryption at Rest

All PHI encrypted with AES-256. Database-level encryption for all stored assessment data, patient records, and session history.

Encryption in Transit

TLS 1.3 enforced on all connections. No downgrade to earlier TLS versions permitted. HSTS headers deployed.

Multi-Factor Authentication

MFA required for all practitioner and admin accounts. No PHI accessible without successful two-factor verification.

Session Management

Automatic session timeout after 15 minutes of inactivity. Session tokens invalidated on logout. Concurrent session limits enforced.

Password Security

Argon2id hashing with minimum 12 rounds. Minimum 12-character passwords with complexity requirements. Breach detection integration.

Rate Limiting

Authentication endpoints rate-limited to prevent brute force attacks. Progressive lockout after failed attempts.

3. Administrative Safeguards

Designated HIPAA Privacy Officer and Security Officer
Annual security risk assessment and remediation
Workforce training on HIPAA requirements and PHI handling
Incident response procedures with breach notification protocols
Minimum necessary access principle — role-based access control
Business Associate Agreements (BAAs) with all vendors handling PHI

4. Physical Safeguards

NOUS platform infrastructure is hosted on HIPAA-eligible cloud services with SOC 2 Type II certification. Physical access to data centers is controlled by the hosting provider under their BAA obligations. Beverly Index does not maintain on-premise servers containing PHI.

5. Audit Controls

Complete audit logging with 6-year retention. Every access to PHI — including who accessed it, when, what data was viewed or modified, and from what IP address — is logged in tamper-resistant audit records. Audit logs are reviewed regularly and are available for compliance audits.

6. Data Isolation

The NOUS platform enforces strict data isolation between assessment pathways and between organizations. CI (Clinical Intelligence) data is completely separated from CSAA (Forensic) data — no clinical information crosses the forensic boundary. Multi-tenant organizations operate in isolated data partitions with no cross-contamination.

7. Patient Rights

Patients have the right to access their assessment records, request corrections, and obtain an accounting of disclosures, as required by HIPAA. These rights are exercised through the treating practitioner's organization, which maintains the treatment relationship.

8. Breach Notification

In the event of a breach of unsecured PHI, Beverly Index LLC will notify affected covered entities within 60 days as required by the HIPAA Breach Notification Rule. We will cooperate fully with covered entities in fulfilling their notification obligations to affected individuals and the Department of Health and Human Services.

9. Contact

For HIPAA compliance inquiries, contact Beverly Index LLC at [email protected] or +1 (307) 204-6354. Beverly Index LLC, 30 N Gould St, Ste R, Sheridan, WY 82801.