HIPAA compliance is a shared responsibility between us and your clinic. Here is what we cover and what you own.
What we do
- BAA on file — every clinic gets a signed Business Associate Agreement with us before going live. This is the legal contract that lets us touch protected health information on your behalf.
- Encryption at rest and in transit — everything stored is encrypted with AES-256, every connection is TLS 1.3.
- Access controls — only the operators assigned to your clinic can see your data. Everything is logged. Access logs are retained for six years.
- Audit log — every read, write, and export of PHI is logged with user, time, and what was touched. You can pull this audit log from your dashboard at any time.
- Vendor BAAs — every subprocessor we use (Stripe, AWS, Postmark, etc.) has a BAA with us. We publish the full subprocessor list and update it 30 days before adding a new one.
- Breach response — if a breach happens, we notify you within 24 hours, not the 60 days the law allows.
What you do
- Workforce training — your team needs annual HIPAA training. We can recommend a vendor if you do not have one.
- Access management for your team — when someone leaves your clinic, you remove their account in Settings → Team. We do not know who has left the building, so we cannot do this for you.
- Client notices — you provide clients with your Notice of Privacy Practices. We have a template you can customize and we will host it under your /legal/privacy URL.
- Physical security — laptops, screens, paper records — your premises, your responsibility.
- Reasonable judgment — do not paste a client's PHI into a public Slack channel. Do not export the customer list and email it from a personal account. The platform tries to prevent these but cannot prevent every form of human error.
When clients ask
Clients sometimes ask if their data is HIPAA-protected on a storefront. The honest answer for most clinics is: yes, the parts that are PHI are HIPAA-protected. Marketing communications and storefront browsing are not PHI. Once a client becomes a client (not just a shopper), interactions with their care team are PHI and protected accordingly.
Audits
If you are audited, we provide everything you need from our side — BAA, audit logs, subprocessor list, security documentation. Your operator coordinates the response with you.