HIPAA & PHI policy

Summary: Twinbook is built for educational study material, not for identifiable patient information. We discourage uploading Protected Health Information (PHI) unless Twinbook has entered into the required agreements and controls with your institution.

We serve medical students, so we want to be especially clear and especially careful here. This page states our position plainly so that learners, faculty, and compliance offices know exactly where the line is.

This page is our policy, not legal advice.

Last updated: 2026-06.

Our position

Twinbook is an educational study tool. It is intended for lecture slides, textbooks, notes, study questions, and other learning materials. It is not:

  • a clinical or electronic health record (EHR) system,
  • a diagnostic or clinical decision-support tool, or
  • a system designed to receive identifiable patient information.

Do not upload identifiable patient information (names, medical record numbers, dates tied to an individual, images that identify a patient, or other PHI) into Twinbook unless a proper institutional agreement and the corresponding controls are in place.

Why we say this carefully

Under HIPAA, a vendor that performs services involving Protected Health Information for a covered entity (such as a teaching hospital) generally becomes a business associate, and the U.S. Department of Health and Human Services requires a Business Associate Agreement (BAA) to be in place before that vendor handles PHI.

We will not casually claim to be "HIPAA compliant." That phrase, used loosely, is exactly the kind of overclaim a compliance office sees through. Instead:

Twinbook is designed for educational use. We discourage uploading PHI unless Twinbook has entered into the required agreements (including a BAA) and the required controls with the institution.

If your program needs to handle PHI

If a medical school or teaching hospital has a genuine need to use Twinbook with materials that may contain PHI, that requires a deliberate, contracted arrangement — including a Business Associate Agreement and the specific technical and administrative controls a BAA entails. Contact us before any such use. Do not assume PHI is permitted by default; it is not.

De-identified material is fine

Educational material that has been de-identified — case studies, board-style questions, textbook content, and teaching cases with no information that could identify a real patient — is appropriate for Twinbook and is how the product is meant to be used in medical education.

Educational-use boundary (reminder)

Even with appropriate material, Twinbook's AI outputs are study aids, not clinical guidance. They can contain errors and must not be used for patient care or clinical decisions. See §9 of the main Trust & Security page.

Questions about PHI, a BAA, or a clinical-education use case? Contact us before uploading any patient-identifiable material.