HIPAA Notice

Last updated: 2026-04-07

Applicability of HIPAA

InSilico Consulting AB (“Company”, “we”, “our”, or “us”) is a consulting company based in Sweden. We are not a healthcare provider, health plan, or healthcare clearinghouse. However, in certain cases, we may act as a Business Associate to U.S.-based healthcare organizations and, in that context, may process Protected Health Information (“PHI”) as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

This notice applies only where HIPAA is relevant to our services.

Our Role

When acting as a Business Associate, we process PHI solely on behalf of and under the instructions of our U.S. clients (Covered Entities or their Business Associates), and in accordance with applicable agreements, including Business Associate Agreements (“BAAs”).

We do not independently determine the purposes or means of processing PHI.

Use and Disclosure of PHI

We use and disclose PHI only as permitted or required by:

  • Our agreements with clients (including BAAs)
  • Applicable law

We limit access to PHI to the minimum necessary to perform our services.

Safeguards

We implement appropriate administrative, technical, and physical safeguards designed to protect PHI against unauthorized access, use, or disclosure. These measures include, but are not limited to:

  • Access controls and authentication measures
  • Encryption of data in transit and at rest where appropriate
  • Staff training and confidentiality obligations
  • Monitoring and incident response procedures
  • Subprocessors

Where we engage subcontractors or service providers that may have access to PHI, we require them to agree to appropriate data protection obligations consistent with HIPAA requirements.

Data Breach Notification

In the event of a breach involving PHI, we will notify the relevant client without undue delay, in accordance with our contractual obligations and applicable law.

GDPR and International Data Transfers

As a company established in the European Union, we also process personal data in accordance with the General Data Protection Regulation (“GDPR”). Where PHI includes personal data subject to GDPR, we apply appropriate safeguards, including lawful processing bases and, where applicable, mechanisms for international data transfers.

See our Privacy Policy for more information.

Contact

If you have any questions about this HIPAA Notice or our data protection practices, please contact us. See our Privacy Policy for contact information.