This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. We are required by federal law to maintain the privacy of your protected health information (“PHI”), to provide you with this Notice of our legal duties and privacy practices, and to follow the terms contained here.
Kinuu® (“Kinuu,” “we,” “us,” or “our”) provides BrainyAct, a clinical and digital health platform that integrates telehealth services, in clinic care, therapeutic training systems, diagnostic assessments, and digital tools designed to support patients, clinicians, families, and healthcare organizations. Because BrainyAct involves both direct provision of healthcare services as well as technological and administrative support for outside clinics and providers, Kinuu functions both as a HIPAA Covered Entity and as a HIPAA Business Associate. As a Covered Entity, Kinuu provides clinical care directly to patients; as a Business Associate, Kinuu supports other healthcare providers who transfer PHI to us for the purpose of enabling their clinical services.
This combined HIPAA Notice of Privacy Practices and Privacy Policy (“Notice”) explains how we create, receive, maintain, use, disclose, and safeguard PHI and other personal information through our Services. These Services include the BrainyAct clinical platform; telehealth and virtual therapy systems; BrainyAct hardware; diagnostic and therapeutic assessment tools; patient portals; our website; and any other interfaces or technologies developed and maintained by Kinuu.
If you have any questions about this Notice, or if you wish to exercise any of your privacy rights, you may contact our Privacy Officer at hope@kinuu.com.
1. Scope and Purpose of This Notice
This Notice applies to all PHI handled by Kinuu through the delivery of BrainyAct health services and through support we provide to our clinical partners. It describes how we collect PHI, how we use it to provide clinical care, how we disclose it to third parties when necessary for treatment, payment, or healthcare operations, and what rights you have under the HIPAA Privacy Rule. It also describes our responsibilities as a Covered Entity, the circumstances in which we act as a Business Associate, how PHI is safeguarded, how digital tracking technologies interact with PHI, and what obligations we have if your information is ever involved in a privacy or security breach. This document also explains certain aspects of nonPHI personal information handling that accompany our digital services.
Kinuu’s public facing privacy policy uses a clear, structured format that separates its description of services, information collection, user categories, permitted disclosures, and patient rights in a narrative style. That same narrative clarity and patient centered framing informs how this Notice is organized.
2. Definition of Protected Health Information
PHI includes any information, whether oral, written, or digital, that identifies you and relates to your past, present, or future physical or mental health condition; the healthcare services provided to you; or the past, present, or future payment for those services. PHI includes traditional identifiers such as your name, address, and birth date, and includes devicebased identifiers when they are linked to clinical activity. The HIPAA Privacy Rule defines these categories and requires healthcare organizations to protect PHI in any form it is created, received, maintained, or transmitted.
3. Information We Collect
We collect information in several categories, some of which qualify as PHI under HIPAA when used in connection with clinical services. This includes the personal identifiers you provide during registration, including your name, address, contact information, date of birth, and—in the case of pediatric care parental or guardian information. It also includes unique patient identifiers used within the BrainyAct system and device identifiers that become PHI when linked to therapeutic activity.
We also collect clinical and health related information directly from you or your clinician, such as diagnoses, symptoms, clinical assessments, therapy goals, diagnostic testing results, and previsit screening questionnaires. Because BrainyAct includes hardware assisted therapeutic exercises, certain device generated sensor readings—such as behavioral, motor, sensory, cognitive, and functional performance data—also become part of your clinical record. When you or your child participates in therapy sessions, we may collect clinician session notes, progress summaries, outcome metrics, and educational or behavioral data used for clinical planning.
When you participate in telehealth activities, our systems collect metadata such as session duration, connection quality, timestamps, and communication logs exchanged with clinicians. BrainyAct does not record telehealth audio or video content unless you explicitly authorize such recording for clinical or educational purposes. If you opt into recorded training or therapy activities, those recordings may be used for clinical review, internal training, or quality assurance, and the recording of a minor always requires verified parental consent.
When you interact through the patient portal or messaging tools, we collect the content of your messages exchanged with clinicians, care managers, or support teams, including scheduling details, triage conversations, and clinical follow-up questions. If your BrainyAct services involve insurance or third-party billing, we collect insurance coverage details, claims responses, prior authorization records, and related billing and payment information.
Because BrainyAct also supports partnerships with clinics and schools, we may receive information from referring clinicians, healthcare organizations, care coordinators, payers, or educational institutions, provided the disclosure is authorized by you or your child’s guardian or otherwise permitted under HIPAA. These transfers occur for the purpose of coordinating care, documenting services, or enabling clinical operations. This form of collection is authorized as part of HIPAA permitted treatment, payment, and healthcare operations.
4. How We Collect Information
We obtain information directly from you when you complete patient intake forms, telehealth onboarding materials, clinical questionnaires, or parental consent forms. Information is also collected automatically through BrainyAct hardware and software systems as part of therapeutic activities, where sensor-based movement data, device performance information, and usage logs occur as part of the clinical session. Certain digital identifiers, such as IP address, device characteristics, and system interaction logs, are automatically generated by your device or browser and become PHI when associated with BrainyAct’s clinical functions. Federal guidance is clear that when websites or digital systems collect health related information tied to identifiable users, HIPAA obligations apply.
We may also receive information from outside healthcare providers who refer you to BrainyAct services or coordinate care with Kinuu. These disclosures are permitted under the HIPAA Privacy Rule when used to support treatment, payment, or healthcare operations. We also obtain information from health plans, insurers, or school-based programs that participate in pediatric support activities, but only when a permitted disclosure or parental authorization is in place.
HIPAA allows healthcare providers to use and disclose PHI without written authorization when necessary for treatment, payment, and healthcare operations (“TPO”). These categories form the core of permitted information used under the Privacy Rule.
We use PHI to provide clinical services to you or your child, including telehealth therapy, inclinic activities, and diagnostic assessments. Clinicians rely on PHI to evaluate progress, review BrainyAct sensor based activity results, consult with specialists, coordinate therapeutic plans, and communicate with parents or guardians. When necessary to ensure continuity of care, we share PHI with other providers involved in your treatment or your child’s treatment. We also disclose PHI in emergencies when it is necessary to protect patient safety or respond to urgent healthcare needs.
We use PHI to manage insurance billing and payment activities. This includes submitting claims to insurers, verifying coverage, coordinating benefits, obtaining prior authorizations, responding to payer
documentation requests, managing denials, and processing payments. If you work with a thirdparty care manager or billing service, we may disclose PHI to them as permitted by HIPAA to facilitate payment.
We also use PHI for healthcare operations, which include quality assurance, outcome measurement, staff training, product improvement, clinical supervision activities, safety and compliance programs, auditing and credentialing of clinicians, and business planning. We may de-identify PHI for research, analytics, or product evaluation to improve therapeutic outcomes. All such activities fall under HIPAA permitted operations.
6. Other Permitted Uses and Disclosures without Authorization
There are situations where we may use or disclose PHI without your written consent because federal law allows or requires it. These include reporting certain communicable diseases; responding to child abuse, neglect, or exploitation inquiries; cooperating with health oversight agencies; complying with court orders, subpoenas, or legal processes; responding to valid law enforcement requests; preventing or reducing serious threats to health or safety; supporting specialized government functions such as national security; or complying with workers’ compensation laws. These exceptions are defined explicitly in federal HIPAA regulations.
7. Uses and Disclosures Requiring Your Written Authorization
We will request your written authorization before using your PHI for purposes not described in this Notice. This includes any nonTPO marketing communications, the sale of PHI, and the use or disclosure of psychotherapy notes where applicable. It also includes research that uses identifiable PHI unless otherwise permitted by deidentification or other HIPAA provisions. You may revoke any authorization you provide at any time, provided the revocation is in writing.
8. Our Responsibilities as a HIPAA Covered Entity
As a Covered Entity under HIPAA, we are legally obligated to maintain the privacy and security of PHI, notify you if a breach compromises your PHI, provide you with this Notice and abide by its terms, follow the “minimum necessary” principle, and ensure that our workforce is trained to safeguard PHI. These responsibilities are required under the HIPAA Privacy Rule and associated federal guidance.
9. Your HIPAA Privacy Rights
You have the right to access your medical record and obtain an electronic or paper copy of your PHI. You have the right to request corrections to PHI that you believe is inaccurate or incomplete. You may request restrictions on how we use or disclose your PHI, although we are not always required to agree to such restrictions. You may request that we communicate with you in a confidential manner, such as using an alternative address or phone number. You have the right to request a record of disclosures we have made that were not related to treatment, payment, or healthcare operations. You may also request a paper copy of this Notice at any time. These rights are established by the HIPAA Privacy Rule.
10. Children's and Family Privacy
Because BrainyAct frequently involves minors, our Services include additional privacy protections. A parent or guardian must create any child’s clinical account, and we do not knowingly collect PHI from a child without verified parental consent. Parents or guardians typically have the right to access their child’s PHI unless prohibited by law, court order, or specific state minorconsent statutes that grant confidentiality to adolescents in certain types of care. Where applicable, older minors may hold independent rights to control the disclosure of their PHI. When a parent, guardian, or minor identifies other individuals involved in the child’s care, we may disclose PHI to those individuals unless the patient objects. Federal HIPAA guidance explicitly allows disclosures to family members involved in care under these circumstances.
11. Business Associates and Third-party Service Providers
As both a Covered Entity and a Business Associate, Kinuu may share PHI with third parties who perform services for us, such as billing vendors, analytics providers, care coordination teams, or technology platform operators. Any entity that receives PHI on our behalf must sign a Business Associate Agreement that requires them to safeguard PHI, limit their use to permitted purposes, and notify us in the event of a breach. These obligations are mandated under federal HIPAA Business Associate regulations.
12. Cookies, Analytics and Tracking Technologies
When PHI is collected through digital systems—such as patient login workflows, telehealth interactions, or clinical messaging, HIPAA governs the handling of those digital identifiers. We do not allow third parties to collect PHI for their own independent purposes through cookies, tracking pixels, or analytics scripts. When analytics involve PHI, they operate only under Business Associate Agreements and only for functions permitted under HIPAA. When cookies do not involve PHI, they may still be used to enhance functionality, security, or user experience, but they do not override your HIPAA privacy rights. Federal guidance states that digital health platforms must treat webbased identifiers as PHI when they relate to clinical activity.
13. Data Security
We use administrative, technical, and physical safeguards to protect PHI. These include secure authentication protocols, user access controls, encryption, audit logging, HIPAAcompliant hosting environments, workforce training, and ongoing risk assessments. While we take significant steps to protect your information, no digital system can eliminate security threats. Nonetheless, we adhere to HIPAA’s Security Rule requirements and maintain systems designed to reduce unauthorized access, disclosure, or alteration of PHI.
14. Breach Notification
If a breach compromises the privacy or security of your PHI, we will immediately investigate, take steps to mitigate potential harm, and notify you without unreasonable delay, consistent with the HIPAA Breach Notification Rule. Notification may occur by mail, email (where permitted), patient portal, or other required methods, depending on the circumstances and the nature of the breach. These procedures are mandated under HIPAA.
15. International Data Transfers
If PHI is transferred or accessed outside the United States, we implement safeguards consistent with HIPAA requirements, ensuring that Business Associates who operate internationally maintain protections equivalent to those required domestically.
16. AI Assisted Clinical Insights
If BrainyAct uses artificial intelligence to support clinical decision-making, AI based outputs do not replace professional judgment. Clinicians must review and validate any algorithmically generated insights prior to incorporating them into patient care. PHI used to support AI processes is protected under HIPAA and handled in accordance with this Notice. Patients may request access to PHI involved in algorithmic decision pathways, consistent with the Privacy Rule’s right of access.
17. Changes to This Notice
We may update this Notice to reflect changes in the law, in our services, or in our privacy practices. Whenever this Notice is revised, we will update the “Last Updated” date at the top of the document and make the revised Notice available upon request and through our website.
18. Contact Us
If you have questions about this Notice, wish to exercise your HIPAA rights, or need to contact us regarding privacy matters, please reach out to:
Privacy Officer
Email: hope@Kinuu.com
Mailing Address:
Kinuu®
915 Mainstreet
Hopkins, MN 55343 USA
Please include your name, preferred contact information, and a brief description of your request.