We sign a Business Associate Agreement with every covered entity that uses The Clinic. The full text is a short, readable document — not a 40-page legal tangle — and we'll countersign yours or ours. This page summarizes what it commits us to.
We use Protected Health Information only to provide, manage, and support the services you contract us to deliver — and as required by law. We do not sell PHI, we do not share it with advertising networks, and we do not use it to train foundation models.
Administrative, physical, and technical safeguards as required by 45 CFR §§ 164.308, 164.310, 164.312. In practice: tenant-isolated databases, encryption at rest (AES-256) and in transit (TLS 1.2+), rotating KMS-managed keys, least-privilege IAM, and mandatory MFA on every staff account.
Every subcontractor that may access PHI signs an equivalent BAA downstream. Our current subcontractor list (cloud hosting, email, SMS, WhatsApp, transactional payments) is available on request and updated at renewal.
We notify you without unreasonable delay and in no case later than 30 days after discovery of a reportable breach of unsecured PHI, per 45 CFR § 164.410 — with the facts, the affected records, the corrective action, and the evidence we have.
We support your obligations under the Privacy Rule: access requests, amendments, accounting of disclosures, and restrictions. Our admin surface exports the per-patient audit log and record set on demand.
When the underlying services agreement ends, we return or securely destroy all PHI within 60 days, with written attestation. If return or destruction is infeasible for a specific record class, we tell you which class and why — and extended protections continue to apply.