Lumina does not receive, store, or process Protected Health Information.
Lumina is a geocoding and routing tool. It works with anonymized addresses and internal reference codes — not names, diagnoses, or any information that could identify a patient. Because no Protected Health Information enters our platform, Lumina does not trigger HIPAA Business Associate obligations and no Business Associate Agreement is required for standard use.
Lumina is a geographic proximity and route optimization platform. It accepts address data paired with internal reference codes supplied by your organization and uses that data to calculate proximity matches and drive times. That is the full extent of what Lumina ingests.
Lumina receives:
Lumina never receives:
The mapping between reference codes and real individuals is maintained exclusively within your organization. That internal record never leaves your systems.
Before any data reaches Lumina, your team prepares it using your organization's in-house template. The process is designed so that all identifying information is stripped at your end before upload:
This model mirrors how other widely-used routing and logistics platforms operate — the geographic data is functional, not personal. Lumina is agnostic to who the codes represent.
Under HIPAA, a Business Associate Agreement (BAA) is required when a vendor receives, transmits, or maintains PHI on behalf of a Covered Entity. Because Lumina's data model is specifically designed so that no PHI enters the platform, the BAA requirement is not triggered.
An address alone, without any associated health information or identifying link, is not PHI under HIPAA. The 18 HIPAA Safe Harbor identifiers include geographic data only when it is more specific than a three-digit zip code and when it is associated with health information about an identifiable individual. In Lumina's model, addresses are uploaded without any health information linkage, making them non-PHI by design.
Your organization remains fully responsible for your own HIPAA compliance — including maintaining secure internal records that map codes to individuals, limiting internal access to that mapping, and ensuring your own data handling practices meet applicable requirements. Lumina's role is limited to processing the de-identified geographic data you provide.
While Lumina is designed to operate entirely outside the scope of HIPAA, your organization as a Covered Entity retains all standard HIPAA obligations. In the context of using Lumina, this means:
Protocol | Operational Architecture, LLC is not responsible for any PHI submitted to Lumina in violation of these terms. Submitting identifiable data to the platform constitutes a violation of your subscription agreement.
Although Lumina is not subject to the HIPAA Security Rule for the reasons described above, we maintain strong data security practices consistent with industry standards for platforms serving healthcare-adjacent organizations:
We may update this HIPAA Positioning Statement to reflect changes in our platform, legal requirements, or regulatory guidance. Material changes will be communicated to active subscribers by email. The most current version will always be available at this URL.
This statement does not constitute legal advice. We recommend consulting your organization's HIPAA compliance officer or legal counsel if you have questions about your specific compliance obligations in connection with using Lumina.
Protocol | Operational Architecture, LLC
Email: compliance@oparch.pro
Web: oparch.pro
For general privacy questions, see our Privacy Policy.