PHI workflows are available for enterprise customers under an executed BAA.
❌ No PHI
Do not enter patient identifiers or protected health information in self-serve tools.
✅ PHI Supported
Under signed BAA, in designated enterprise environments only.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that sets national standards for protecting the privacy and security of individuals' medical records and personal health information ("Protected Health Information" or "PHI").
HIPAA sets requirements for what a business associate contract must include. When a covered entity (like a healthcare provider) works with a business associate (like a software vendor) that will handle PHI, HIPAA requires a written agreement that specifies how the business associate will protect the PHI and limits how it can be used or disclosed.
We only use or disclose PHI for the purpose of providing services to you as specified in our service agreement, or as required by law. We do not use PHI for our own purposes, marketing, or to benefit any third party.
We implement appropriate administrative, physical, and technical safeguards to protect electronic PHI (ePHI) in accordance with the HIPAA Security Rule. This includes encryption, access controls, audit logging, and security monitoring.
Best-in-class commitment: We will notify you of any discovered breach of unsecured PHI within 5 calendar days of discovery (exceeding the regulatory requirement). This gives you ample time to fulfill your own notification obligations.
Any subcontractors or agents that process PHI on our behalf are required to agree to the same restrictions and conditions that apply to us under the BAA. We maintain a public list of subprocessors and provide advance notice of changes.
Upon termination of the service agreement, we will return or destroy all PHI in accordance with your instructions and as required by law. If return or destruction is not feasible, we will continue to protect the PHI and limit its use.
We support your obligations to provide individuals with access to their PHI, to amend PHI, and to provide an accounting of disclosures as required by HIPAA.
We make our internal practices, books, and records relating to PHI available to the Secretary of the Department of Health and Human Services (HHS) for compliance determinations.
Legal reference: HIPAA's business associate contract requirements come from 45 CFR 164.504(e). HHS also provides a model BAA that organizations can reference.
Request a BAA or contact our compliance team with any questions.