---
title: "Data & Security — TVshuru Health"
description: "How TVshuru Health protects patient data: HIPAA Business Associate role, encryption, access controls, data segregation, per-admission clearing, retention, and breach notification."
url: "https://health.tvshuru.com/data-security.html"
last_updated: "2026-07-15"
---

# Data & Security

TVshuru Health runs at the patient bedside — one of the most sensitive environments there is. Protecting patient data is a design requirement, not a feature. Contracted hospitals receive full documentation during security review.

## Our role: HIPAA Business Associate

When deployed at a hospital, the hospital is the covered entity and TVshuru Health acts as its **Business Associate** under a **Business Associate Agreement (BAA)** and the HIPAA Privacy, Security, and Breach Notification Rules. We use PHI only to provide and support the service — never to sell it or for marketing.

## What data TVshuru Health uses at the bedside

Built on data minimization — typically only:

- Identifiers to personalize the room (name, room/bed, care team) from admissions/EHR.
- The education, menus, and request options relevant to that patient and ward.
- Non-urgent requests and inputs routed to the right team.

TVshuru Health is not a monitoring device and performs no clinical measurements.

## How it is protected

- **Encryption** in transit (TLS) and at rest.
- **Access control** — role-based, least-privilege, strong authentication, audit logging.
- **Segregation** — each hospital's data logically separated.
- **Per-admission clearing** — personalization and inputs cleared between admissions.
- **Hardened endpoints** — managed, locked-down bedside devices with wipeable interfaces.
- **Secure development** — change control, testing, vulnerability management.

## Retention and disposal

Patient information is retained only as directed by the hospital and BAA; room personalization is cleared at discharge. When a deployment ends, we return or securely destroy PHI as required.

## Subprocessors and hosting

Infrastructure and service providers are bound by contractual and HIPAA obligations, including BAAs where they may handle PHI. A subprocessor list is available to contracted hospitals on request.

## Breach notification

We notify the affected hospital without unreasonable delay and support its obligations under the HIPAA Breach Notification Rule.

## Patient rights

Patients exercise rights over their health information through the hospital (the covered entity); TVshuru Health supports the hospital in responding.

## Accessibility & safety by design

Built to the ADA effective-communication rule and Section 508 (WCAG 2.0 AA), with ligature-safe delivery for behavioral health. Safety and accessibility are treated as security properties.

Security reviews: security@tangiblespin.com
