HIPAA Compliance

HIPAA establishes federal standards for the protection of Protected Health Information (“PHI”) — health information that identifies, or could reasonably be used to identify, a patient. It applies to Covered Entities (most healthcare providers, health plans, and clearinghouses) and to the Business Associates that handle PHI on their behalf.

Medical Supplai builds its platform with HIPAA's requirements in mind and operates under written agreements with the practices we serve.

A note on terminology. HIPAA does not certify products or vendors. There is no official “HIPAA certification.” What matters is whether a vendor operates the administrative, physical, and technical safeguards required by the HIPAA Security Rule and is willing to commit to those obligations contractually.

When Medical Supplai processes PHI on behalf of a healthcare practice, we act as a Business Associate as that term is defined under HIPAA. The practice remains the Covered Entity — the controller of its patient record and the party responsible for HIPAA compliance with respect to that record. Medical Supplai handles PHI only as needed to provide the services the practice has authorized.

Before any PHI is transmitted through the Service, Medical Supplai executes a Business Associate Agreement (“BAA”) with the practice. The BAA:

• Specifies the permitted uses and disclosures of PHI;
• Requires us to implement appropriate safeguards;
• Obligates us to report any security incident or breach involving PHI;
• Requires us to ensure any subcontractor with access to PHI agrees to the same obligations;
• Addresses return or destruction of PHI upon termination, where feasible.

A BAA is available to every practice that subscribes to the Service. Contact us at the address below to request one.

HIPAA compliance is a shared responsibility between the Covered Entity and its Business Associates. In broad terms:

Medical Supplai maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of PHI, in alignment with the HIPAA Security Rule. At a high level:

Detailed control documentation and security questionnaires are available to practices under NDA as part of the procurement process.

Medical Supplai relies on a small number of vetted subcontractors to operate the Service (for example, cloud infrastructure, telephony, and SMS providers). Any subcontractor that may access PHI executes a BAA with us and is contractually bound to the same standards we owe to our customers.

If Medical Supplai becomes aware of a breach of unsecured PHI, we will notify the affected practice without unreasonable delay and in accordance with the timeframes required by HIPAA and the BAA. Our notice will include the information reasonably available to support the practice's own breach analysis and any notifications it must make to patients and regulators.

Patients have rights under HIPAA — including access to their records, amendment, accounting of disclosures, and restriction requests. Those rights are directed to the healthcare provider, not to the provider's Business Associates. If you are a patient with a question about your information, please contact your healthcare provider directly.

If your practice receives a patient request that requires action on data within the Service, Medical Supplai will work with your team to support it.

To request a BAA, ask a compliance question, or report a suspected security concern:

This page describes Medical Supplai's approach to HIPAA at a high level and is not legal advice. HIPAA compliance for a healthcare practice depends on factors specific to that practice. We recommend consulting your own counsel or compliance officer for guidance on your obligations.