Kainoa Labs · Whitney Health

Technology, Security & Compliance

Platform architecture, data security, and compliance posture for enterprise health system deployment.

Whitney Health is built on clinical-grade infrastructure designed from the ground up for deployment in regulated health system environments. This page describes the platform’s technical architecture, security controls, data governance practices, and intellectual property position for the CIO, CISO, and compliance teams evaluating the platform for enterprise use.

Compliance & Certification Status

The following reflects the platform’s current compliance posture and active certification roadmap.

HIPAA Compliance

Business Associate Agreements executed with all technology partners

✓ Active

FDA Breakthrough Device Designation

Granted October 2020 · De Novo submission in preparation

✓ Active

Used in Research

Secure, HIPAA-compliant research infrastructure

✓ Active

SOC 2 Type II

Gap assessment underway

In Preparation

HITRUST CSF

Gap assessment underway

In Preparation

ISO 27001

Gap assessment underway

In Preparation

Health system partners may execute a Business Associate Agreement (BAA) prior to or concurrent with platform onboarding. BAA templates are available upon request.

Data Architecture & Infrastructure

Whitney Health runs on Amazon Web Services (AWS), hosted exclusively in the United States. Production and research environments are logically separated. No patient data is processed or stored outside US jurisdiction.

Data Segmentation

Patient health data is stored with strict logical separation across three categories:

PHI

Identity and demographic data

PII

Contact and account data

Performance Data

De-identified assessment results, behavioral metrics, and scoring outputs

Separation is enforced through AWS Key Management Service (KMS), with independent encryption keys per data category. PHI and PII are never co-mingled with performance data in the same storage layer or query path.

Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Session recordings are encrypted at the point of capture on the patient device prior to transmission.

Session Recording & Data Integrity

Every assessment session generates a secure, time-stamped recording encrypted on-device before transmission. Recordings are processed server-side and retained as a permanent, auditable clinical record. No session data is stored locally after transmission.

Patient Data & Privacy Controls

Informed Consent

Patient data is collected under explicit informed consent workflows built into the platform’s onboarding process.

Data Subject Rights

Patients may request deletion of their data consistent with applicable federal and state health privacy law. The platform supports data subject request workflows.

Research Data Use

De-identified data used for model training and validation is processed under IRB-approved protocols with HIPAA-compliant de-identification methods.

No Third-Party Data Sharing

The platform does not sell, license, or share patient data with third parties for commercial purposes. Assessment data is used solely to deliver clinical services to the patient and health system that collected it.

Access Logging & Audit Trails

The platform maintains detailed audit logs of all data access events, supporting compliance review and incident investigation.

Access Controls & Role-Based Permissions

Whitney Health enforces a multi-tier role-based access control architecture. Access to clinical data is governed by role, relationship to the patient, and authorization status — not by broad credential class.

Role-gated access to source data

Clinical scoring results, raw session recordings, and behavioral source data are accessible only to roles explicitly authorized for each data tier. Administrative roles do not carry automatic access to clinical source data.

Sequential authorization-gated quality control

The quality control pipeline enforces a sequential, multi-party authorization chain before any assessment result is released for clinical use. No single user can advance a result without the prior stage being completed and signed off.

Session admissibility controls

The platform evaluates environmental and technical conditions at assessment time against predefined criteria. Sessions that do not meet quality thresholds are flagged before results enter the clinical pipeline.

MFA

Multi-factor authentication required for all clinical and administrative accounts

Roles

Role assignments are managed by health system administrators within the provider portal

Sessions

Session tokens expire on inactivity; re-authentication is required for sensitive data access

Audit

All permission changes are logged with timestamp and actor identity

EHR Integration

Whitney Health is designed to integrate with existing electronic health record systems. Integration is configured during implementation and is being prepared for use with standard EHR environments supporting HL7 and FHIR protocols.

No Additional Hardware Required

The platform does not require proprietary hardware, dedicated workstations, or IT infrastructure beyond standard internet connectivity and a consumer iOS or Android device for patient-facing sessions.

Workflow integration

Integration scope, data mapping, and workflow configuration are defined collaboratively with the health system IT team during onboarding.

Intellectual Property

The Whitney Health platform is protected by a portfolio of four issued United States patents and eleven provisional patent applications filed in 2026. The issued patents cover the platform’s core biometric and behavioral measurement methods — the foundational layer on which the clinical software is built.

The provisional applications cover the clinical software architecture, data processing pipelines, and analytical systems. The issued patents were granted between 2017 and 2020, establishing priority in the core measurement methods that underpin diagnostic accuracy. Patents are assigned to Miro Health, Inc. (operating as Kainoa Labs).

Number

Date

Status

Title

Issued United States patents

US 9,703,407

Jul 2017

Issued

Motion Restriction and Measurement for Self-Administered Cognitive Tests

US 10,383,553

Aug 2019

Issued

Data Collection and Analysis for Self-Administered Cognitive Tests Characterizing Fine Motor Functions

US 10,444,980

Oct 2019

Issued

Biomechanical Motion Measurement for Self-Administered Tests

US 10,748,439

Aug 2020

Issued

Automated Delivery of Unique, Equivalent Task Versions in Computer-Delivered Testing Environments

2026 provisional applications

64/094,155 · Navigable scoring hierarchy with role-gated source data access

64/094,173 · Versioned interpretation architecture

64/094,182 · Multi-informant invitation and onboarding

64/094,192 · Single-subject longitudinal neurobehavioral analysis

64/094,196 · Automated speech and language assessment

64/094,208 · Sequential authorization-gated QC

64/094,211 · Unified clinical and research platform

64/094,216 · Session admissibility control

64/094,219 · Adaptive stimulus generation and QA

64/094,225 · Unlimited equivalent repeatable assessment

64/094,228 · Multi-domain functional brain health assessment using a navigable illustrated world

Summary for CIO & Compliance Review

For health system technology and compliance teams, the following summarizes what the platform currently provides and what is in progress:

Data stays in the United States.

All patient data — PHI, PII, and performance data — is processed and stored exclusively on US-based AWS infrastructure, with no cross-border data transfers.

PHI is encrypted, segregated, and access-controlled.

AES-256 encryption at rest, TLS 1.2+ in transit, KMS-managed key separation by data category, and role-gated access controls at every layer of the clinical data pipeline.

Business Associate Agreements are available now.

BAAs are executed with all technology partners. SOC 2 Type II, HITRUST, and ISO 27001 certification processes are in preparation.

The platform generates its own audit trail.

Every session, access event, permission change, and QC authorization step is logged with timestamp and actor identity — supporting compliance review, incident response, and reimbursement defensibility.

Core technology is patent-protected.

Four issued US patents cover the platform’s foundational measurement methods, with eleven additional provisional applications covering the clinical software architecture. All IP is assigned to Miro Health, Inc. (Kainoa Labs).

Whitney Health is a product of Kainoa Labs, Inc. · All patient data processed under executed Business Associate Agreement.