Tingg

h1. Tingg Insight HIPAA Compliance Scope and Applicability

*Product:* Tingg Insight

*Platform:* Tingg Platform

*Version:* v1.0

*Status:* Draft

*Owner:* Product / Compliance

*Last Updated:* [Date]

---

h2. 1. Purpose

This document defines the *scope and applicability of HIPAA compliance* for the *Tingg Insight* product, which operates as a module within the broader *Tingg Platform*.

The purpose of this document is to:

* Clearly establish what is *in scope* and *out of scope* for HIPAA

* Prevent ambiguity during development, testing, and audits

* Serve as the *authoritative boundary document* for all HIPAA-related work

This document must be read in conjunction with:

* HIPAA Compliance BRD

* HIPAA Compliance Epics & User Stories

* HIPAA Test & Evidence Plan

---

h2. 2. Regulatory Framework

The following HIPAA regulations are applicable to Tingg Insight *within the defined scope*:

* HIPAA Privacy Rule (45 CFR §164.500–534)

* HIPAA Security Rule (45 CFR §164.302–318)

  ** Administrative Safeguards

  ** Technical Safeguards

  ** Physical Safeguards *(limited applicability – see exclusions)*

*Note:* Tingg Insight is designed to be *HIPAA-eligible*, not inherently HIPAA-certified. Compliance depends on correct configuration and operational practices by the customer.

---

h2. 3. In-Scope Products & Modules

h3. 3.1 In-Scope Product

* Tingg Insight

Tingg Insight is a survey, assessment, and insights module that may collect, process, store, or analyze data that qualifies as *Protected Health Information (PHI)* when configured for healthcare-related use cases.

---

h3. 3.2 Out-of-Scope Products

The following Tingg Platform products are *explicitly out of HIPAA scope*:

* Tingg Career (ATS / Recruitment)

* Tingg KM (Knowledge Management)

* Marketing websites, landing pages, blogs

* Admin portals not directly interacting with PHI

* Experimental or beta modules not explicitly approved

---

h2. 4. In-Scope Features (Tingg Insight)

The following Tingg Insight features are *within HIPAA scope when used to handle PHI*:

* Survey and assessment response collection

* Storage of responses containing PHI

* Analytics and reporting dashboards derived from PHI

* User authentication and authorization for PHI access

* Audit logging related to PHI access and modification

* Data export features involving PHI (CSV, API, integrations)

*Important:* Feature inclusion in scope depends on *actual usage*.

A feature may be in scope for one customer and out of scope for another.

---

h2. 5. Out-of-Scope Features

The following features are *explicitly excluded from HIPAA scope*:

* Anonymous surveys with no PHI fields

* Static content pages (instructions, help text, thank-you pages)

* UI theming and branding configuration

* Survey templates without PHI

* Client-side analytics not tied to identifiable individuals

* Non-production environments used for demos or marketing

---

h2. 6. In-Scope Data (PHI Definition)

For Tingg Insight, *Protected Health Information (PHI)* includes, but is not limited to:

* Names, email addresses, phone numbers when linked to health data

* Medical conditions, symptoms, or diagnoses

* Treatment-related survey responses

* Identifiers such as patient IDs or appointment references

* Any combination of identifiers and health-related information

PHI determination is *contextual* and depends on:

* Survey configuration

* Question types

* Customer use case

---

h2. 7. Out-of-Scope Data

The following data types are *out of HIPAA scope*:

* Fully anonymous responses with no identifiers

* Aggregated or de-identified analytics

* System metadata (timestamps, request IDs) unless linked to PHI

* Platform operational metrics

* Billing and subscription data

---

h2. 8. In-Scope Users & Roles

The following user roles may have *access to PHI* and are therefore in scope:

* Customer administrators

* Authorized internal platform administrators

* Support personnel with approved PHI access

* Compliance or audit users

Access to PHI is governed by:

* Role-based access control (RBAC)

* Least privilege principles

* Audit logging

---

h2. 9. Out-of-Scope Users

The following users are *not considered in scope*:

* Survey respondents (data subjects)

* Marketing users

* Sales users

* Unauthenticated public users

* Internal users without PHI access

---

h2. 10. Environment Scope

h3. In-Scope Environments

* Production environments handling real customer data

* Disaster recovery and backup systems containing PHI

h3. Out-of-Scope Environments

* Local development environments

* Test or staging environments with synthetic data

* Demo environments

* Developer sandboxes

---

h2. 11. Shared Responsibility Model

HIPAA compliance for Tingg Insight follows a *shared responsibility model*.

h3. Tingg (Platform Owner) Responsibilities

* Application-level security controls

* Access control mechanisms

* Audit logging

* Encryption at rest and in transit

* Secure software development practices

h3. Customer Responsibilities

* Correct configuration of surveys

* Determination of PHI fields

* User access management

* Operational policies and procedures

* Business Associate Agreement (BAA) management

---

h2. 12. Assumptions & Constraints

* Tingg Insight is HIPAA-eligible, not automatically HIPAA-compliant

* Compliance depends on customer usage and configuration

* This scope may evolve based on:

  ** New features

  ** Regulatory changes

  ** Customer requirements

---

h2. 13. Scope Change Management

Any change to this scope must:

* Be reviewed by Product and Compliance

* Be documented as a new version

* Trigger a review of impacted Epics, Stories, and Tests

---

h2. 14. Approval

|*. Role |*. Name |_. Date |

| Product Owner | [TBD] | |

| Compliance Owner | [TBD] | |

| Engineering Lead | [TBD] | |

---