HIPAA Notice

How we handle protected health information.

Dyad Health operates as a HIPAA Business Associate to the health plans we contract with. This notice explains what that means and how your protected health information is handled when we support your care.

Effective April 2026 · Version 1.0 · Dyad Health, Inc.

§ 01Who we are under HIPAA

Dyad Health, Inc. ("Dyad") is a Business Associate as defined in 45 CFR 160.103. We deliver care-management services to members of health plans ("Covered Entities") under the terms of a written Business Associate Agreement ("BAA") with each plan.

Dyad is not, on its own, a Covered Entity. We act on behalf of plans. The plan — not Dyad — is primarily responsible for issuing the Notice of Privacy Practices to its members and for honoring member rights under HIPAA. This page describes how Dyad, as a Business Associate, handles Protected Health Information ("PHI") within that framework.

§ 02What is PHI

"Protected Health Information" (PHI) is individually identifiable health information that is created, received, maintained, or transmitted in the course of providing or paying for health care. For Dyad, PHI typically includes:

Member and caregiver names, dates of birth, and contact information.
Plan ID, eligibility data, and claims history shared by the health plan.
Clinical information — diagnoses, medications, care-plan notes, risk assessments (including caregiver-burden assessments).
Communications between you and your Dyad care team.

§ 03How we use and disclose PHI

We use and disclose PHI only as permitted by HIPAA, by our Business Associate Agreement with each plan, and by applicable law. Specifically:

Treatment. To coordinate dementia care and caregiver support for you or the person you care for.
Payment. To support the plan's administration of benefits, including documenting the services we provided and the outcomes we achieved.
Health-care operations. For quality improvement, care coordination, accreditation, and other activities permitted under HIPAA.
As required by law. When disclosure is compelled by subpoena, court order, public-health reporting requirement, or other legal obligation, after appropriate review.
With your written authorization. For any other use or disclosure, we will ask for your written authorization first. You can revoke that authorization at any time.

We do not sell PHI. We do not use PHI for marketing. We do not use PHI to train third-party AI models.

§ 04Safeguards

Dyad maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR 164, Subpart C), including:

Encryption of PHI at rest and in transit.
Role-based access controls, with access granted on a need-to-know basis.
Workforce training on HIPAA requirements before access is granted and annually thereafter.
Audit logs of access to PHI.
Business Associate Agreements with every subcontractor that may have access to PHI.
A designated Privacy Officer and Security Officer.
An incident-response plan aligned with the HIPAA Breach Notification Rule.

§ 05Your rights

Under HIPAA, you have the right to:

Access the PHI we maintain about you.
Request amendment of PHI you believe is inaccurate or incomplete.
Request an accounting of certain disclosures of your PHI.
Request restrictions on how your PHI is used or disclosed.
Request confidential communications through a specific channel or address.
Receive a copy of your health plan's Notice of Privacy Practices from the plan itself.
File a complaint if you believe your rights have been violated — with us, with your plan, or directly with the U.S. Department of Health and Human Services, Office for Civil Rights.

Many of these rights are exercised through your health plan. Where Dyad can assist, we will. To make a request of Dyad directly, contact our Privacy Officer at hello@dyad-health.com.

You will not be retaliated against for exercising any of your HIPAA rights. That includes filing a complaint with your plan, with Dyad, or with the Office for Civil Rights. Your care will continue on the same terms.

§ 06Breach notification

If a breach of unsecured PHI occurs, we will notify the affected health plan without unreasonable delay and within the timeframe required by our Business Associate Agreement and by 45 CFR 164.410. The plan, as the Covered Entity, is responsible for direct notification to members; Dyad will support that notification as required.

§ 07Minimum necessary

When using, disclosing, or requesting PHI, we apply the HIPAA "minimum necessary" standard. We ask for and use the least amount of information reasonably needed to do the work at hand, except where HIPAA expressly does not require a minimum-necessary determination (for example, disclosures to the individual, to the provider treating the individual, or as authorized by the individual).

§ 08State law and other protections

Where state law provides greater privacy protection than HIPAA, we follow the state law. In California, for example, our handling of PHI is also subject to the Confidentiality of Medical Information Act (CMIA). Where your plan's BAA or applicable law imposes additional obligations, those obligations apply in addition to HIPAA.

§ 09Changes

We may update this notice from time to time. Material changes will be posted on the Site and reflected in the effective date at the top of this page. We will not retroactively apply a less protective version to PHI we have already received.

§ 10Contact & complaints

Dyad Health, Inc.
Attn: Privacy Officer
hello@dyad-health.com

To file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
www.hhs.gov/ocr/complaints

Privacy · Terms · HIPAA