Trust
Data & Security
TVshuru Health runs in one of the most sensitive environments there is — the patient bedside. Protecting patient data is a design requirement, not a feature. This page summarizes how we do it. Contracted hospitals receive full documentation during security review.
Our role: HIPAA Business Associate
When TVshuru Health is deployed at a hospital, the hospital is the covered entity and TVshuru Health acts as its Business Associate. We enter a Business Associate Agreement (BAA) with every hospital and operate under the HIPAA Privacy, Security, and Breach Notification Rules. We use protected health information (PHI) only to provide and support the service — never to sell it, and never for our own marketing or advertising.
What data TVshuru Health uses at the bedside
TVshuru Health is built on the principle of data minimization. A typical deployment uses only what the bedside experience needs:
- Identifiers to personalize the room — such as the patient's name, room/bed, and care team — drawn from your admissions/EHR systems.
- The education, menus, and request options relevant to that patient and ward.
- Non-urgent requests and inputs the patient makes on the screen, routed to the right team.
TVshuru Health is not a monitoring device and does not perform clinical measurements.
How it is protected
- Encryption. PHI is encrypted in transit (TLS) and at rest.
- Access control. Role-based access, least-privilege, and strong authentication for staff and administrators; audit logging of access to PHI.
- Segregation. Each hospital's data is logically separated from every other tenant's.
- Per-admission clearing. Personalized content and patient inputs are cleared from the room between admissions, so the next patient starts fresh.
- Hardened endpoints. Bedside devices are managed, locked down to the TVshuru Health experience, and favor wipeable, cleanable interfaces.
- Secure development. Change control, testing, and vulnerability management as part of our engineering process.
Retention and disposal
Patient information is retained only as directed by the hospital and the BAA. Room-level personalization is cleared at discharge. When a deployment ends, we return or securely destroy PHI as the agreement requires.
Subprocessors and hosting
Where we rely on infrastructure or service providers to deliver TVshuru Health, each is bound by appropriate contractual and HIPAA obligations, including BAAs where they may handle PHI. A current subprocessor list is available to contracted hospitals on request.
Breach notification
In the event of a breach of unsecured PHI, we notify the affected hospital without unreasonable delay and support its obligations under the HIPAA Breach Notification Rule.
Patient rights
Because the hospital is the covered entity for its patients, patients exercising rights over their health information — access, amendment, restriction, or an accounting of disclosures — should contact the hospital. TVshuru Health supports the hospital in responding.
Accessibility & safety by design
TVshuru Health is built to the accessibility expectations of the ADA effective-communication rule and Section 508 (WCAG 2.0 AA), and supports ligature-safe delivery for behavioral-health settings. Safety and accessibility are treated as security properties of the system.
Running a security review? Email security@tangiblespin.com and we will share our BAA template, security documentation, and subprocessor list.