Kainoa Labs · Whitney Health
Technology, Security & Compliance
Platform architecture, data security, and compliance posture for enterprise health system deployment.
Whitney Health is built on clinical-grade infrastructure designed from the ground up for deployment in regulated health system environments. This page describes the platform’s technical architecture, security controls, data governance practices, and intellectual property position for the CIO, CISO, and compliance teams evaluating the platform for enterprise use.
Compliance & Certification Status
The following reflects the platform’s current compliance posture and active certification roadmap.
HIPAA Compliance
Business Associate Agreements executed with all technology partners
✓ Active
FDA Breakthrough Device Designation
Granted October 2020 · De Novo submission in preparation
✓ Active
Used in Research
Secure, HIPAA-compliant research infrastructure
✓ Active
SOC 2 Type II
Gap assessment underway
In Preparation
HITRUST CSF
Gap assessment underway
In Preparation
ISO 27001
Gap assessment underway
In Preparation
Health system partners may execute a Business Associate Agreement (BAA) prior to or concurrent with platform onboarding. BAA templates are available upon request.
Data Architecture & Infrastructure
Whitney Health runs on Amazon Web Services (AWS), hosted exclusively in the United States. Production and research environments are logically separated. No patient data is processed or stored outside US jurisdiction.
Data Segmentation
Patient health data is stored with strict logical separation across three categories:
PHI
Identity and demographic data
PII
Contact and account data
Performance Data
De-identified assessment results, behavioral metrics, and scoring outputs
Separation is enforced through AWS Key Management Service (KMS), with independent encryption keys per data category. PHI and PII are never co-mingled with performance data in the same storage layer or query path.
Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Session recordings are encrypted at the point of capture on the patient device prior to transmission.
Session Recording & Data Integrity
Every assessment session generates a secure, time-stamped recording encrypted on-device before transmission. Recordings are processed server-side and retained as a permanent, auditable clinical record. No session data is stored locally after transmission.
Patient Data & Privacy Controls
Informed Consent
Patient data is collected under explicit informed consent workflows built into the platform’s onboarding process.
Data Subject Rights
Patients may request deletion of their data consistent with applicable federal and state health privacy law. The platform supports data subject request workflows.
Research Data Use
De-identified data used for model training and validation is processed under IRB-approved protocols with HIPAA-compliant de-identification methods.
No Third-Party Data Sharing
The platform does not sell, license, or share patient data with third parties for commercial purposes. Assessment data is used solely to deliver clinical services to the patient and health system that collected it.
Access Logging & Audit Trails
The platform maintains detailed audit logs of all data access events, supporting compliance review and incident investigation.
Access Controls & Role-Based Permissions
Whitney Health enforces a multi-tier role-based access control architecture. Access to clinical data is governed by role, relationship to the patient, and authorization status — not by broad credential class.
Role-gated access to source data
Clinical scoring results, raw session recordings, and behavioral source data are accessible only to roles explicitly authorized for each data tier. Administrative roles do not carry automatic access to clinical source data.
Sequential authorization-gated quality control
The quality control pipeline enforces a sequential, multi-party authorization chain before any assessment result is released for clinical use. No single user can advance a result without the prior stage being completed and signed off.
Session admissibility controls
The platform evaluates environmental and technical conditions at assessment time against predefined criteria. Sessions that do not meet quality thresholds are flagged before results enter the clinical pipeline.
MFA
Multi-factor authentication required for all clinical and administrative accounts
Roles
Role assignments are managed by health system administrators within the provider portal
Sessions
Session tokens expire on inactivity; re-authentication is required for sensitive data access
Audit
All permission changes are logged with timestamp and actor identity
EHR Integration
Whitney Health is designed to integrate with existing electronic health record systems. Integration is configured during implementation and is being prepared for use with standard EHR environments supporting HL7 and FHIR protocols.
No Additional Hardware Required
The platform does not require proprietary hardware, dedicated workstations, or IT infrastructure beyond standard internet connectivity and a consumer iOS or Android device for patient-facing sessions.
Workflow integration
Integration scope, data mapping, and workflow configuration are defined collaboratively with the health system IT team during onboarding.
Intellectual Property
The Whitney Health platform is protected by a portfolio of four issued United States patents and eleven provisional patent applications filed in 2026. The issued patents cover the platform’s core biometric and behavioral measurement methods — the foundational layer on which the clinical software is built.
The provisional applications cover the clinical software architecture, data processing pipelines, and analytical systems. The issued patents were granted between 2017 and 2020, establishing priority in the core measurement methods that underpin diagnostic accuracy. Patents are assigned to Miro Health, Inc. (operating as Kainoa Labs).
Number
Date
Status
Title
Issued United States patents
US 9,703,407
Jul 2017
Issued
Motion Restriction and Measurement for Self-Administered Cognitive Tests
US 10,383,553
Aug 2019
Issued
Data Collection and Analysis for Self-Administered Cognitive Tests Characterizing Fine Motor Functions
US 10,444,980
Oct 2019
Issued
Biomechanical Motion Measurement for Self-Administered Tests
US 10,748,439
Aug 2020
Issued
Automated Delivery of Unique, Equivalent Task Versions in Computer-Delivered Testing Environments
2026 provisional applications
64/094,155 · Navigable scoring hierarchy with role-gated source data access
64/094,173 · Versioned interpretation architecture
64/094,182 · Multi-informant invitation and onboarding
64/094,192 · Single-subject longitudinal neurobehavioral analysis
64/094,196 · Automated speech and language assessment
64/094,208 · Sequential authorization-gated QC
64/094,211 · Unified clinical and research platform
64/094,216 · Session admissibility control
64/094,219 · Adaptive stimulus generation and QA
64/094,225 · Unlimited equivalent repeatable assessment
64/094,228 · Multi-domain functional brain health assessment using a navigable illustrated world
Summary for CIO & Compliance Review
For health system technology and compliance teams, the following summarizes what the platform currently provides and what is in progress:
Data stays in the United States.
All patient data — PHI, PII, and performance data — is processed and stored exclusively on US-based AWS infrastructure, with no cross-border data transfers.
PHI is encrypted, segregated, and access-controlled.
AES-256 encryption at rest, TLS 1.2+ in transit, KMS-managed key separation by data category, and role-gated access controls at every layer of the clinical data pipeline.
Business Associate Agreements are available now.
BAAs are executed with all technology partners. SOC 2 Type II, HITRUST, and ISO 27001 certification processes are in preparation.
The platform generates its own audit trail.
Every session, access event, permission change, and QC authorization step is logged with timestamp and actor identity — supporting compliance review, incident response, and reimbursement defensibility.
Core technology is patent-protected.
Four issued US patents cover the platform’s foundational measurement methods, with eleven additional provisional applications covering the clinical software architecture. All IP is assigned to Miro Health, Inc. (Kainoa Labs).
Whitney Health is a product of Kainoa Labs, Inc. · All patient data processed under executed Business Associate Agreement.