De-identified health data is provided to Gradient by entities subject to HIPAA and other state laws. Gradient and its clients must adhere to the same laws.

Two key factors from privacy laws driving Gradient policies:

1. Ensure reidentification risk is “very small” 
2. Output must only be viewed by the Authorized User

The Gradient policies include:

• Only groups with at least 10 individuals will return Medical Underwriting data
• Gender specific codes have been removed or rolled up
• Only Authorized Users may access Medical Underwriting reports
• Authorized Users may only discuss detail output with other Authorized Users
• Authorized Users may not share their credentials or output
• Email, Zoom, etc. must not be used to share Medical Underwriting details
• Authorized Users may record MemberID#'s (impacting underwriting decisions) in an underwriting journal for audit but cannot include corresponding conditions or drugs