PREFcards is built from the ground up for healthcare environments and operates as a HIPAA Business Associate to the surgical centers, hospitals, and health systems that use our platform. This page summarizes our approach to HIPAA compliance.
Business Associate relationship
PREFcards executes a Business Associate Agreement (BAA) with every healthcare customer prior to receiving any protected health information (PHI). The BAA defines our obligations as a Business Associate under the HIPAA Privacy and Security Rules, including the permitted uses and disclosures of PHI, our safeguards obligations, and our breach notification commitments.
Administrative, physical, and technical safeguards
We implement the safeguards required by the HIPAA Security Rule across all three categories: administrative (workforce training, role-based access policies, security risk assessments), physical (controls on the facilities and devices used to access PHI), and technical (authentication, access controls, audit logging, transmission security). Our practices are reviewed and updated regularly as the platform and the threat landscape evolve.
Encryption and access controls
PHI is encrypted in transit and at rest using industry-standard encryption. Access to PHI is restricted on a least-privilege basis through role-based access controls, and all access is logged for audit. Authentication requires individual user accounts; shared credentials are not permitted.
Breach notification
In the event of a breach involving PHI, PREFcards will notify the affected customer as required by HIPAA and in accordance with the timing and contents specified in the Business Associate Agreement, so that the customer can fulfill its own notification obligations to individuals and regulators.
Subcontractors
Where PREFcards engages subcontractors that may receive or process PHI on our behalf (such as cloud infrastructure providers), each subcontractor signs a Business Associate Agreement with PREFcards that imposes obligations equivalent to those we owe our customers.
BAA requests and questions
To request a Business Associate Agreement, or with questions about our HIPAA compliance practices, contact our team via the contact page.