Neobank Capital — HIPAA Internal Privacy Policy

Home

Last Updated: 23 Oct 2025

1. Purpose

This HIPAA Internal Privacy Policy outlines how Neobank Capital (“we,” “our,” or “us”) safeguards any health-related information that may be collected, stored, or processed during the course of providing our financial technology, identity verification, and related digital services.

While Neobank Capital is not a Covered Entity or Business Associate under the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), we voluntarily adopt HIPAA-aligned privacy and security standards to protect all sensitive personal data handled through our systems.

Our goal is to maintain the highest possible level of confidentiality, integrity, and security for all user data, including data that could qualify as “Protected Health Information” (PHI) if obtained through partners or integrations.

2. Scope

This policy applies to:

  1. All employees, contractors, and service providers with access to Neobank Capital systems;
  2. Any operations, databases, or integrations that may involve the collection or storage of health-related or biometric data;
  3. Any third-party partnerships where PHI could be transmitted or stored.

This policy forms part of Neobank Capital’s Global Data Protection and Information Security Framework.

3. Definitions

Protected Health Information (PHI):

Any individually identifiable health information transmitted or maintained in any form or medium, relating to the past, present, or future physical or mental health of an individual.

HIPAA:

The U.S. Health Insurance Portability and Accountability Act (1996), which establishes standards for protecting sensitive patient health information.

Covered Entity / Business Associate:

Healthcare providers, insurers, clearinghouses, or entities performing services involving PHI on behalf of such organizations.

De-identified Data:

Data that has been stripped of personal identifiers and cannot reasonably be linked back to an individual.

4. HIPAA Compliance Statement

Neobank Capital does not operate as a healthcare provider, insurer, or clearinghouse, nor do we routinely process PHI as a core business activity.

However, in certain cases — such as identity verification, insurance-fintech partnerships, or biometric verification systems — limited data may fall under HIPAA’s definition of PHI.

In such cases, we apply HIPAA-equivalent administrative, technical, and physical safeguards to ensure confidentiality and compliance.

5. Data We May Process Under HIPAA Principles

If applicable to a specific integration, we may process:

  1. Biometric or health-related identifiers used for identity verification;
  2. Information disclosed by users for financial products with health implications (e.g., insurance-backed credit services);
  3. Partner data transmitted via API that may contain PHI elements (names, policy IDs, claim data, etc.);
  4. Access logs, consent forms, or audit trails containing PHI references.

We do not request or store medical histories, diagnostic records, or clinical data for any customer.

6. Permitted Uses and Disclosures

Neobank Capital limits the use and disclosure of health-related or PHI-type data to the following lawful and secure purposes:

  1. Identity verification and fraud prevention;
  2. Risk and compliance assessment;
  3. Regulatory reporting when required by law;
  4. Integration with approved financial or insurance partners;
  5. Internal audits and data security monitoring.

We do not disclose or sell PHI for marketing or commercial purposes.

7. Access Control and Security Safeguards

Neobank Capital applies HIPAA-aligned technical and organizational safeguards, including:

  1. Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256).
  2. Access Controls: Role-based access and least-privilege principle for all systems.
  3. Authentication: Multi-factor authentication (MFA) required for all administrative access.
  4. Audit Logging: Detailed logs maintained for all PHI-related access and actions.
  5. Automatic Timeouts: Session management to prevent unauthorized access.
  6. Secure Data Centers: Hosted in compliant environments (SOC 2, ISO 27001, or equivalent).

8. Workforce Responsibilities

All employees and contractors with potential access to health-related or sensitive data must:

  1. Complete annual privacy and security training;
  2. Acknowledge this policy in writing;
  3. Report any suspected or confirmed data breach immediately to the Privacy and Security Team.

Unauthorized access, use, or disclosure of PHI is grounds for disciplinary action or termination.

9. Third-Party Compliance

Before sharing or transmitting any PHI-type data, Neobank Capital ensures that third-party vendors or partners:

  1. Are bound by a written Data Processing or Business Associate Agreement (BAA) when applicable;
  2. Maintain equivalent or higher security and privacy controls;
  3. Undergo periodic security audits or compliance assessments.

We do not engage with vendors that cannot demonstrate compliance with applicable privacy and data protection standards.

10. Data Retention and Disposal

Health-related or PHI data is retained only for as long as necessary to fulfill its purpose or comply with legal requirements.

When no longer required, data is securely destroyed or anonymized using NIST-approved destruction methods.

Retention periods are defined in Neobank Capital’s Data Retention & Classification Policy.

11. Breach Notification

If a breach involving PHI or equivalent sensitive data occurs, Neobank Capital will:

  1. Immediately contain and investigate the incident;
  2. Notify affected users and regulators as required by law;
  3. Document findings and corrective actions;
  4. Apply any additional steps mandated under HIPAA Breach Notification Rule (45 CFR §§164.400–414), where applicable.

All incidents are handled in accordance with our Global Incident Response Plan.

12. Employee and Partner Training

All team members receive initial and annual refresher training on:

  1. HIPAA principles and privacy practices;
  2. Handling of sensitive and health-related data;
  3. Incident reporting and escalation procedures.

Completion of training is mandatory and recorded for compliance purposes.

13. Enforcement and Disciplinary Action

Any employee or contractor found to have violated this policy, intentionally or through negligence, may face:

  1. Disciplinary action up to and including termination;
  2. Legal consequences if applicable;
  3. Loss of system access or credential revocation.

14. Oversight and Governance

This policy is maintained under the joint responsibility of:

  1. Global Data Protection Officer (DPO)
  2. Chief Compliance Officer (CCO)
  3. Information Security Department

Regular audits and assessments ensure ongoing compliance with internal privacy and HIPAA-aligned controls.

15. Policy Updates

This HIPAA Internal Privacy Policy may be updated periodically to reflect changes in:

  1. Applicable laws or regulations;
  2. Business operations or data processing practices;
  3. Industry standards or security technologies.

The latest version will always be available in the Neobank Capital Legal Center and internal compliance portal.

16. Contact Information

Privacy and Compliance Office

Neobank Capital / PRS ONE Capital Trust KB

Email: privacy@neobank.capital

Address: 848 Brickell Ave, Penthouse 5, Miami, FL 33131, USA

Website: https://legal.neobank.capital

On this Page
Contents 1. Purpose 2. Scope 3. Definitions 4. HIPAA Compliance Statement 5. Data We May Process Under HIPAA Principles 6. Permitted Uses and Disclosures 7. Access Control and Security Safeguards 8. Workforce Responsibilities 9. Third-Party Compliance 10. Data Retention and Disposal 11. Breach Notification 12. Employee and Partner Training 13. Enforcement and Disciplinary Action 14. Oversight and Governance 15. Policy Updates 16. Contact Information

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...