Vasl Health ? Help Center ? Compliance & Privacy ? HIPAA and Your Data
Compliance & Privacy

HIPAA and
Your Data

What Vasl Health collects, who can see it, how VLAP handles your information, and your rights as a member or organizational partner ? in plain language.

9 min read ? Updated May 2026
Members Coaches & Clinicians Org Administrators

What HIPAA means here

HIPAA ? the Health Insurance Portability and Accountability Act ? sets federal standards for how health information is handled, stored, and shared. Vasl Health is a HIPAA-covered entity, which means your health information in the Vasl platform receives the same legal protections as your medical records at a doctor's office.

In practice, this means Vasl cannot share your individual health information with anyone outside your care team without your explicit consent ? not your school, not your employer, not your parents (unless you're a minor and applicable state law requires it), and not any commercial third party. The architecture enforces this. It's not just a policy.

The Plain-Language Version

What you share in Vasl is treated like medical information. It stays within your care team ? your coach and your clinician. Your school administrator, your employer, and your parents do not have access to it. We don't sell it, share it for advertising, or disclose it without your consent. That's the commitment, and HIPAA makes it a legal one.

What data Vasl collects

We collect the minimum data necessary to provide the platform's care functions. Here's a specific breakdown of what is and isn't retained:

Data Type
What It Is
Stored?
Account information
Name, email, age range, identity preferences set during onboarding
Yes
Check-in responses
Mood selections and optional text you submit through daily check-ins
Yes
Coach messages
Your message thread with your assigned coach
Yes
Assessment scores
PHQ-8 and GAD-7 scores completed during onboarding
Yes
Peer group posts
Posts and replies you make in peer groups
Yes
VLAP signal output
Dimensional signal profiles generated from your language ? not verbatim transcripts
Yes
Verbatim VLAP input
The exact text VLAP processes to generate signals
Not stored
Session content
What is said in clinical sessions ? stays in the clinician's own records system
Not in Vasl
Device or browser data
Basic technical information for platform function
Minimal
On Assessment Scores

The PHQ-8 and GAD-7 scores you complete during onboarding are stored and visible in your profile. They are also visible to your coach and clinician as clinical context. They are not shared with your school, employer, or org administrator. Your individual scores are never part of any aggregate data provided to organizations ? only de-identified population-level trends are shared with org administrators.

Who can see what

This is the most important section for most members. Here is exactly who has access to each type of your data ? with no exceptions to what's described here.

Data Type
You
Your Coach
Your Clinician
School / Org Admin
Check-ins & messages
Yours only
Yes
Yes
Never
Assessment scores (PHQ-8 / GAD-7)
Yours only
Yes
Yes
Never
VLAP signal profile
Not visible
Summary only
Full profile
Never
Peer group posts
Groups you joined
Not visible
Not visible
Never
Clinical session notes
Not in Vasl
Not visible
In their own system
Never
Your name & individual identity
Yours only
Yes
Yes
Never
Community-level aggregate trends
Not applicable
Not applicable
Not applicable
Aggregate ? De-identified

The school administrator or org admin column says "Never" for every individual data type ? and "Aggregate ? De-identified" for community-level trends. That last entry means the org can see things like "this week, 34% of members reported mood scores below 3" ? with no names, no individual records, and no way to identify who contributed to the number. A minimum cohort size is required before aggregate data is surfaced, specifically to prevent de-identification by inference.

Why Your School Can't See Your Data

This is a question many members have ? especially students who worry that what they share will reach their counselors, teachers, or parents. The answer is architectural: the system is built so that individual disclosure to school administrators is structurally impossible. It is not a setting that can be changed, a policy that can be overridden by the school, or an exception that applies in any circumstance. Individual member data never reaches school staff.

How VLAP handles your data

VLAP ? the Vasl Language Analysis Platform ? processes the language you share in check-ins and coach messages to generate clinical signal context for your care team. Here's exactly how that processing works from a data perspective:

Processing method
In-memory only. VLAP processes your language without storing verbatim text. The input is analyzed and discarded; only the dimensional signal profile is retained.
What is stored
The signal profile ? dimensional codes and pattern interpretations. Not a transcript. Not a quote. Not the words you used.
Who sees it
Your coach sees a simplified summary. Your clinician sees the full dimensional profile. No one else ? not school staff, not org administrators, not Vasl team members outside the clinical supervisory function.
What VLAP does not do
VLAP does not respond to you, make clinical decisions, initiate contact, or scan peer groups. It is invisible to members entirely.
Peer groups
VLAP does not process peer group posts. Peer group content is not scanned by any AI system. Human moderators oversee peer groups.

Your rights under HIPAA

As a Vasl member, HIPAA gives you specific rights over your health information. Here's what those rights are and how to exercise them:

01
Right to Access Your Records

You have the right to request a copy of your health information held by Vasl ? including your check-in history, assessment scores, mood data, and VLAP signal profiles. We will provide this within 30 days of a valid request.

Email privacy@vaslhealth.com to request your records
02
Right to Request Corrections

If you believe any information in your Vasl records is inaccurate or incomplete, you have the right to request a correction. We will review the request and respond within 60 days.

Email privacy@vaslhealth.com with the specific information you believe is incorrect
03
Right to Know Who Has Accessed Your Records

You have the right to request an accounting of disclosures ? a record of who has accessed or received your health information, other than your care team and standard platform operations. We maintain audit logs and can provide this upon request.

Request a disclosure accounting at privacy@vaslhealth.com
04
Right to Restrict Disclosures

You have the right to request restrictions on how your health information is used or shared within the platform ? beyond what HIPAA already requires. We will consider all requests and respond within 30 days, though we are not required to grant all restrictions.

Email privacy@vaslhealth.com with your specific restriction request
05
Right to Delete Your Data

You have the right to request deletion of your health information from Vasl's systems. Some data may be retained for the legally required period under HIPAA (minimum 6 years for certain records), but we will delete everything that can be deleted and confirm what, if anything, must be retained and why.

Email privacy@vaslhealth.com to submit a deletion request
06
Right to File a Complaint

If you believe Vasl has violated your HIPAA rights, you have the right to file a complaint ? with us directly or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

File with us at privacy@vaslhealth.com ? HHS OCR at hhs.gov/ocr

For organizations ? BAA and compliance requirements

Every organization that deploys Vasl Health ? school districts, universities, community health centers, health plans ? is required to execute a Business Associate Agreement (BAA) with Vasl Health before any member data is collected or processed. The BAA establishes the legal framework for how Vasl handles protected health information (PHI) on behalf of the organization, and the specific safeguards that apply.

BAA required
Yes ? before deployment. No member data is collected until a signed BAA is in place. This is a hard gate in the deployment process, not a post-launch formality.
What BAA covers
Defines PHI handling obligations, security requirements, breach notification procedures, and permitted uses of member data by Vasl as a Business Associate of the covered entity.
Org data access
Organizational administrators access only aggregate, de-identified population data. The BAA specifies these access controls and prohibits individual member data from being shared with org staff under any circumstances.
FERPA alignment
For school district deployments, Vasl operates as a direct service provider to students ? not as an agent of the school district for FERPA purposes. Student health records generated in Vasl are classified as health information under HIPAA, not as education records under FERPA, and are structurally inaccessible to school administrators.
Security certifications
SOC 2 Type II ? annual third-party security audit covering security, availability, and confidentiality. Full report available under NDA to partner organizations upon request.
Medicaid documentation
For school and community health deployments using school-based Medicaid billing, Vasl provides HIPAA-compliant documentation exports formatted for Medicaid billing submission. Clinical data used for billing meets applicable state Medicaid program requirements.
BAA request
Contact privacy@vaslhealth.com to initiate BAA execution. BAA template is available for legal review prior to signature.

Breach notification

HIPAA requires that Vasl notify affected individuals and, where applicable, the U.S. Department of Health and Human Services if a breach of unsecured protected health information occurs. Here's how that works:

Individual notification: If a breach affects your health information, Vasl will notify you in writing within 60 days of discovering the breach. The notification will include: what happened, what types of information were involved, what Vasl is doing to investigate and mitigate the breach, and what you can do to protect yourself.

HHS notification: Breaches affecting 500 or more individuals in a state or jurisdiction are reported to HHS within 60 days. Smaller breaches are reported annually.

Media notification: Breaches affecting 500 or more individuals in a single state may require notification to prominent media outlets in that state, in addition to individual notification.

To Report a Suspected Security Issue

If you believe you've discovered a security vulnerability in the Vasl platform, or have reason to believe your data may have been accessed without authorization, contact us immediately at security@vaslhealth.com. We take all security reports seriously and will respond within 24 hours.

Questions and contact

For any question about your privacy, your data, or your HIPAA rights under the Vasl platform, contact our Privacy Officer directly:

Privacy Officer
Vasl Health Privacy Office ? privacy@vaslhealth.com
Security issues
security@vaslhealth.com ? 24-hour response for suspected breaches or vulnerabilities
BAA and compliance
privacy@vaslhealth.com ? BAA template, SOC 2 report (under NDA), compliance documentation
HHS OCR complaint
hhs.gov/ocr ? if you believe your HIPAA rights have been violated and wish to file a federal complaint
Full Privacy Policy
gotovasl.com/privacy ? full legal privacy policy including data retention schedules and third-party processor list
Was this article helpful?
Last updated: May 2026