Privacy & Records Security

Medical Record Privacy, Security & Responsible Data Use

Sensitive Records. Deliberate Access. Accountable Protection.

VNI’s public framework for secure record submission, limited access, vendor oversight, responsible technology use, retention, incident response, and transparent privacy choices.

Medical records are not ordinary attachments.

The documents a Veteran provides may reveal physical and mental-health diagnoses, medication history, military trauma, disability information, Social Security data, family relationships, financial details, exposure history, claim decisions, and some of the most personal events of that Veteran's life.

Veterans Nexus Institute believes that protecting this information is part of the professional service itself.

The purpose of this page is to explain how VNI approaches the full information lifecycle:

Collection
→ Transmission
→ Access
→ Review
→ Storage
→ Sharing
→ Retention
→ Deletion
→ Incident response

This page will sit beside, rather than replace, VNI's formal Privacy Policy, Terms and Agreement, service-specific authorizations, and any Notice of Privacy Practices that legal counsel determines is required.

Privacy claims must be accurate

VNI will not place a generic "HIPAA compliant" badge on the website merely because physicians review medical records.

HIPAA does not automatically apply to every organization that receives health information. The HIPAA Privacy Rule generally applies to health plans, health care clearinghouses, and health care providers that conduct certain standard electronic transactions. Business associates may also be directly subject to applicable HIPAA requirements when they perform covered functions involving protected health information for a regulated entity.

HHS does not certify people, products, software, or organizations as "HIPAA compliant." Whether HIPAA applies to VNI, a physician practice, a contractor, or a technology vendor depends on the actual legal relationship and workflow, not a logo purchased from a compliance vendor.

Before VNI makes a public HIPAA statement, qualified counsel and the organization's privacy and security leads will verify:

Which VNI entities provide health care
Which standard electronic transactions they conduct
Whether VNI is a covered entity, business associate, hybrid entity, or another type of organization
Which vendors receive, store, or process identifiable medical information
Which Business Associate Agreements are required
Which state privacy, medical-record, consumer-protection, and breach-notification laws also apply

The public page will describe only controls that VNI can demonstrate in practice.

  1. Collect only what is reasonably needed

VNI will not ask a Veteran to upload an entire lifetime of records before the medical question and approved scope are understood.

The collection process distinguishes among:

Information needed for a free consultation
Information needed for a paid physician review
Information needed for an approved medical opinion
Information that is not relevant to the engagement

When HIPAA's minimum-necessary standard applies, regulated entities generally must make reasonable efforts to limit certain uses, disclosures, and requests for protected health information to what is reasonably necessary for the purpose. VNI adopts that principle as a privacy standard even in workflows where HIPAA does not directly control.

The intake process requests:

Identity and contact information
Military service and branch
The condition being evaluated
The proposed service-connection theory
Relevant VA decisions
Relevant service and medical records
Treatment and diagnostic history
Prior medical opinions and C&P examinations
Documents identifying competing causes or post-service injuries

VNI will not collect unrelated records merely because they happen to exist.

  1. Use clearly approved submission channels

The website identifies exactly where a Veteran may safely submit records.

General website contact forms, live chat, social-media messages, text messages, and ordinary marketing email will not be presented as medical-record upload channels unless VNI has specifically reviewed and approved those systems for that purpose.

Suggested public wording:

Please do not send medical records, Social Security numbers, VA file numbers, or other sensitive information through our general contact form, website chat, or social-media accounts. VNI will provide an approved record-submission method when a matter reaches the appropriate review stage.

The secure-submission page explains:

The name of the approved portal
How the Veteran confirms the correct VNI recipient
Accepted file types
Maximum file sizes
How password-protected files are handled
Whether records may be mailed
Whether ordinary email is permitted
How the Veteran receives confirmation of upload
What to do when records were sent to the wrong address
Who to contact for technical assistance

A polished lock icon is not a security control. The operational pathway behind it must be verified.

  1. Restrict access according to role

Not every VNI employee, contractor, physician, or vendor will automatically see every Veteran's records.

Access is assigned according to the work the person is authorized to perform. The intake team may need different information from the reviewing physician, billing personnel, technology administrators, or outside specialists.

The HIPAA Security Rule requires regulated entities to use appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. It also requires access-management policies that authorize access based on the person's role.

VNI's verified controls address:

Unique user accounts
Multifactor authentication
Role-based permissions
Strong authentication requirements
Device and workstation security
Automatic session locking
Access removal after termination or reassignment
Periodic access review
Audit logging
Prohibition on shared credentials
Secure remote-access procedures
Training before access is granted

The public page does not need to reveal technical details that could help an attacker. It provides enough information to demonstrate that access is deliberate and accountable.

  1. Protect confidentiality, integrity, and availability

Privacy is not only about preventing someone from reading a record.

A sound security program ensures that records are:

Confidential: unavailable to unauthorized people
Accurate and intact: protected from improper alteration or destruction
Available: accessible to authorized people when required for legitimate work

These are the central objectives of the HIPAA Security Rule for regulated electronic health information.

VNI verifies and documents whether its approved systems use:

Encryption during transmission
Encryption while stored
Secure backups
Malware protection
Patch and vulnerability management
File-integrity controls
Recovery testing
Secure deletion methods
Business-continuity procedures
Monitoring for unauthorized access

Encryption is important, but HHS cautions that encryption alone does not address every risk. It does not by itself ensure data integrity, availability, contingency planning, access management, or protection against compromised systems and malware.

As of July 2026, HHS still describes its proposed strengthened HIPAA Security Rule as a proposed rule and states that the current Security Rule remains in effect. VNI tracks that rulemaking but will not describe proposed encryption or cybersecurity requirements as though they have already replaced the current rule.

  1. Evaluate every vendor that touches sensitive information

A secure portal can still fail if an unreviewed vendor, plug-in, scheduling tool, analytics provider, transcription service, cloud platform, email system, or contractor receives the data without appropriate controls.

VNI maintains an inventory of vendors that may receive or access:

Medical records
Intake responses
Consultation notes
Payment information
Identity documents
Communications
Medical reports
Website-form submissions
Recorded calls or meetings
Technical logs connected to a Veteran

When a cloud or technology vendor is functioning as a business associate to a HIPAA-regulated entity, an appropriate Business Associate Agreement may be required. HHS also makes clear that both the customer and cloud provider retain responsibilities for the safeguards assigned to them.

VNI's vendor-review process asks:

What information does the vendor receive?
Why does the vendor need it?
Where is it stored?
Who can access it?
Is it encrypted?
Is multifactor authentication supported?
Does the vendor use subcontractors?
Does the vendor retain the information?
Can the information be deleted?
Will it be used for product training or advertising?
How are incidents reported to VNI?
Is a BAA or another data-protection agreement required?

A vendor's general security page does not substitute for reviewing the actual contract and data flow.

  1. Establish a strict artificial-intelligence policy

Veteran medical records, claim decisions, witness statements, and physician work product will not be entered into public or consumer AI systems simply because a tool is convenient.

VNI policy prohibits AI from independently:

Diagnosing a Veteran
Determining service connection
Assigning a rating
Selecting a medical conclusion
Inventing citations
Creating witness testimony
Fabricating an exposure history
Concealing conflicting evidence
Producing a report that a physician merely signs
Training on identifiable Veteran records without an approved legal basis and explicit organizational authorization

When an approved AI-assisted system is used, VNI documents:

The exact purpose
The data supplied
Whether the information is identifiable
Whether the vendor retains prompts or files
Whether the vendor uses data for model training
Whether a BAA or other agreement is required
Whether human review is mandatory
Which professional remains responsible
How errors are detected and corrected
Whether the Veteran receives notice

Suggested public wording:

VNI does not permit identifiable Veteran medical records to be used to train public artificial-intelligence models. Any approved technology-assisted workflow remains subject to human review, access controls, contractual safeguards, and professional accountability.

Publish that statement only when VNI can verify it across every vendor and workflow.

  1. Separate medical intake from advertising technology

A visitor reading a public education article is not the same as a client submitting psychiatric records, a VA decision, or a military sexual-trauma history.

VNI keeps medical intake, secure portals, client dashboards, and record-upload pages free from unnecessary advertising pixels, behavioral profiling, session-replay technology, and cross-site marketing trackers.

Organizations not covered by HIPAA may still fall under the FTC's Health Breach Notification Rule when they handle identifiable health information through covered products or services. The updated FTC rule applies to certain businesses and nonprofits outside HIPAA and may require notification to affected consumers, the FTC, and sometimes the media after a qualifying breach.

VNI separately discloses:

Essential website cookies
Analytics used on public pages
Advertising technologies
Intake and portal technologies
Whether medical information is ever used for audience targeting
Whether consultation activity is linked to advertising profiles
How visitors exercise applicable opt-out rights

The safest institutional standard is:

Medical records and medical-intake information are not advertising inventory.

  1. Use information only for defined purposes

The public page explains why VNI collects information.

Potential purposes include:

Responding to an inquiry
Scheduling a consultation
Verifying identity
Evaluating whether a physician review may be appropriate
Performing the contracted record review
Preparing an approved medical opinion
Communicating with the client
Processing payment
Maintaining professional and business records
Meeting legal, licensing, tax, security, and contractual requirements
Investigating complaints or incidents
Defending professional work when necessary

VNI will not quietly repurpose medical information for:

Unrelated marketing
Sale to data brokers
Targeted advertising
Public case studies
Testimonials
AI training
Employee curiosity
Research unrelated to the engagement

Any optional secondary use requires a clear legal basis, separate review, and an understandable authorization where required.

  1. Control disclosures and authorizations

A spouse, caregiver, attorney, VSO representative, family member, or friend will not automatically receive a Veteran's records merely because they helped schedule the consultation or paid the fee.

VNI verifies:

The Veteran's identity
The identity of the person requesting access
The authority claimed
The scope of any written authorization
Whether the authorization has expired or been revoked
Whether the requester is a legally recognized personal representative
Whether the disclosure is required or permitted by law

The authorization process distinguishes among:

Permission to discuss scheduling
Permission to discuss billing
Permission to receive medical records
Permission to receive the physician report
Permission to communicate with a representative
Permission to disclose information for another stated purpose

One vague checkbox does not grant unlimited access to everything.

  1. Publish a real retention schedule

"Records are retained only as long as necessary" sounds responsible but tells the Veteran almost nothing.

VNI establishes and publishes verified retention periods for distinct record categories, such as:

Uncompleted website inquiries
Free-consultation notes
Declined matters
Paid physician reviews
Final medical opinions
Draft reports and physician work papers
Billing and tax records
Signed service agreements
Authorizations
Complaints
Audit and access logs
Backup copies

Retention may be affected by professional licensing, malpractice defense, contracts, tax requirements, state medical-record laws, litigation holds, and other legal obligations.

The page explains:

When the retention period begins
Whether the period differs by record type
Whether backup copies persist temporarily
When deletion may be unavailable
How a deletion request is evaluated
How destruction is documented
What happens when a legal hold applies

Do not promise immediate or complete deletion unless every production system, archive, backup, vendor, and legal obligation has been accounted for.

  1. Provide access and correction procedures

A Veteran will know how to ask:

What information VNI maintains
For a copy of submitted records
For correction of contact or demographic information
For correction of a verified factual error
Whether an authorization may be revoked
Whether records may be deleted
Which parties received information
How to obtain the final medical report
How to designate an authorized representative

When HIPAA applies, individuals generally have rights to inspect and obtain copies of protected health information in designated record sets, subject to specified rules and exceptions. VNI's actual access obligations must be determined from its legal status and record structure.

A correction request is not confused with a demand to alter a physician's independent medical conclusion.

VNI may correct a verified factual or clerical error. VNI will not change a professional conclusion merely because the client dislikes it.

  1. Prepare for security incidents before they occur

No responsible organization promises that a breach can never happen.

A trustworthy policy explains how VNI prepares to detect, contain, investigate, respond to, and recover from an incident.

NIST's Cybersecurity Framework 2.0 organizes cybersecurity risk management around six functions:

Govern
Identify
Protect
Detect
Respond
Recover

NIST's current incident-response guidance emphasizes integrating preparation, detection, response, and recovery throughout the organization rather than improvising after an event begins.

VNI's incident-response plan addresses:

Who receives the first report
How accounts or systems are contained
How evidence and logs are preserved
How affected information is identified
How vendors are contacted
How legal obligations are assessed
Who communicates with Veterans
How inaccurate rumors are avoided
How systems are restored
How corrective actions are documented
How lessons learned change future controls

The HIPAA Breach Notification Rule requires covered entities and business associates to provide specified notifications after breaches of unsecured protected health information. The FTC Health Breach Notification Rule imposes separate notification duties on certain non-HIPAA health-information businesses. Which rule applies depends on the entity and data involved.

Suggested public wording:

When VNI identifies a suspected privacy or security incident, we investigate the event, take reasonable containment and corrective action, and provide notices to affected individuals and authorities when required by applicable law.

Do not promise a specific notice deadline unless counsel has confirmed which rule governs the particular event.

  1. Recognize especially sensitive record categories

Some information deserves heightened care because of the harm that could follow unauthorized disclosure.

Examples include:

Mental-health treatment
Suicidal thoughts or crisis history
Military sexual trauma
Substance-use treatment
Reproductive health
Genetic information
HIV and infectious-disease information
Domestic violence
Dependents and children
Financial hardship
Social Security numbers
Identity documents

Certain substance-use-disorder treatment records may be governed by 42 CFR Part 2, which carries specialized confidentiality protections. Updated Part 2 rules reached their compliance date in February 2026 and include additional patient-rights and breach-notification provisions.

VNI identifies when specialized records require additional authorization, handling, or legal review rather than assuming that one general medical-record policy covers every category.

  1. Create a visible privacy contact and complaint path

Veterans will not search through a maze of pages to report a privacy concern.

The page provides:

Privacy contact name or title
Dedicated email address
Mailing address
Secure contact method
Expected acknowledgment time
Expected response process
Emergency security-reporting instructions
How to escalate an unresolved concern

The complaint process covers:

Records sent to the wrong person
Unauthorized access
Incorrect identity
Unexpected marketing
Vendor concerns
Missing documents
Incorrect factual information
Access or deletion requests
Suspected fraud or impersonation
Concerns about AI or automated processing
Concern that a representative exceeded their authorization

VNI prohibits retaliation against a Veteran for raising a good-faith privacy or security concern.

Suggested public trust strip

Use this only after each statement has been operationally verified:

APPROVED SECURE SUBMISSION CHANNELS

ACCESS LIMITED BY ROLE

NO SALE OF MEDICAL RECORDS

NO AD TARGETING FROM CLIENT RECORDS

NO PUBLIC-AI TRAINING ON IDENTIFIABLE RECORDS

INCIDENT RESPONSE AND NOTIFICATION PROCEDURES
Verification checklist before publication

VNI does not replace these questions with assumptions:

Public statement Verification required
"Encrypted in transit" Technical confirmation for every approved submission and communication path
"Encrypted at rest" Confirmation for production storage, documents, databases, archives, and backups
"Multifactor authentication" Confirmation that it is required for every user with sensitive-record access
"Role-based access" Current permission matrix and periodic review process
"Secure portal" Vendor, configuration, contract, access, logging, and retention review
"HIPAA compliant" Legal status analysis plus verified operational compliance
"BAAs in place" Signed agreements for every vendor requiring one
"No AI training" Contract and setting review across every AI-enabled vendor
"No tracking on intake" Technical scan of intake, upload, portal, and payment pages
"Deleted after X years" Approved retention schedule covering vendors and backups
"24-hour incident monitoring" Verified staffing or managed-service capability
"Records never leave the United States" Confirmed vendor and subcontractor data locations
"We never share records" Review legal disclosures, contractors, physicians, and authorized recipients

This page describes VNI’s privacy and security principles and should contain
only practices that have been operationally verified.

It is not a substitute for the formal Privacy Policy, service agreement,
authorization forms, or any Notice of Privacy Practices required by law.

Whether HIPAA, the FTC Health Breach Notification Rule, state privacy laws,
medical-record laws, or other requirements apply depends on the entity,
professional relationship, information, technology, jurisdiction, and
specific facts involved.