Where an incident involves Protected Health Information, ChironAI operates as a business associate to the covered entity. Breach notification is handled consistent with the HIPAA Breach Notification Rule and the HITECH Act, and with any applicable state breach-notification law. The specific notification timelines and procedures are those set by the governing statutes and the executed Business Associate Agreement with each institutional customer — we notify within the periods the law and the BAA require.
Because the institutional customer is the covered entity and data controller, notification flows to that customer, who directs downstream notification to affected individuals, regulators, and, where required, the public, in accordance with their obligations. We support that process with the incident timeline, scope, and remediation record produced by the post-incident review.
For deployments governed by frameworks other than HIPAA (for example, GDPR or UK GDPR), the corresponding data-processing addendum specifies the equivalent notification obligations, and we handle notification to that standard.