Legal · HIPAA

HIPAA Policy

Last updated: May 22, 2026

At CompanyOn, we understand that protecting patient health information (PHI) is not optional — it's the foundation of every healthcare practice we serve. This policy explains how our SaaS platform supports your obligations under the Health Insurance Portability and Accountability Act (HIPAA), what we do on our end, and how we partner with you to keep PHI safe.

How HIPAA applies to CompanyOn When a US-based Covered Entity (clinic, provider, or healthcare organization) uses CompanyOn to handle PHI, CompanyOn acts as a Business Associate under HIPAA. We provide the secure infrastructure; you remain the data custodian and responsible party for PHI under HIPAA's Privacy and Security Rules.

Our Commitment

CompanyOn was built by healthcare practitioners, for healthcare practitioners. Compliance isn't a feature we added later — it's part of how the platform was architected. Our HIPAA approach rests on three principles:

  • Security by design. Encryption, access controls, and audit trails are built in, not bolted on.
  • Customer ownership. Your data is yours. We process it on your behalf, never for our own purposes.
  • Operational transparency. We document what we do, log who accesses what, and give you visibility into your own data.

How CompanyOn Supports HIPAA Compliance

  1. Encryption in Transit and at Rest All PHI handled within CompanyOn is encrypted using TLS 1.2+ during transmission and AES-256 at rest in our databases and backups. Encryption keys are managed by our cloud infrastructure provider under industry-standard key management practices.
  2. Access Controls Role-based permissions let you control who on your team can view, edit, or export PHI. Administrative actions are logged. CompanyOn staff cannot view your patient charts in normal operations — access is restricted to senior personnel and only when you explicitly request support.
  3. Audit Trails Every meaningful action involving PHI (creation, modification, viewing, export, deletion) is logged with user, timestamp, and IP address. These logs support your own compliance audits and your obligations under HIPAA's Security Rule.
  4. Authentication and Account Security Strong password requirements, optional two-factor authentication via SMS or email, session management, and automatic logout protect account access. We strongly recommend enabling 2FA for all users with access to PHI.
  5. Data Centers and Hosting PHI is hosted in secure data centers located in Canada and/or the United States. Our infrastructure provider maintains physical security, redundancy, and certifications appropriate for healthcare workloads. Data does not leave these jurisdictions in normal operations.
  6. Backup and Disaster Recovery Encrypted backups run on a regular schedule. Our recovery procedures are designed to restore service quickly in the event of an incident, while protecting the confidentiality of backed-up PHI.
  7. Patient Rights Support The platform makes it straightforward for you to fulfill patient rights under HIPAA — including the right to access, amend, and request a copy of their health information. You retain full control over how and when to respond to patient requests.
  8. Workforce Training and Confidentiality All CompanyOn employees with potential access to PHI sign binding confidentiality agreements and receive privacy and security training. Access to production systems containing PHI is limited to personnel with a documented operational need.
  9. Vendor and Sub-Processor Management Third-party services we rely on (such as payment processing and SMS delivery) are vetted for security posture. Where applicable, we enter into agreements that require those vendors to handle data with comparable protections.
  10. Breach Response We maintain a documented incident response plan. In the event of a confirmed breach involving Customer PHI, we will notify the affected Customer without unreasonable delay, support their notification obligations under HIPAA's Breach Notification Rule, and retain documentation of the breach and remediation steps for a minimum of twelve (12) months.

Customer Responsibilities Under HIPAA

CompanyOn provides the secure platform, but HIPAA compliance is a shared responsibility. As a Covered Entity using CompanyOn, you are responsible for:

  • Determining which staff members have access to PHI within your account and managing those permissions.
  • Training your workforce on HIPAA Privacy and Security Rule obligations.
  • Obtaining patient consents and authorizations as required by HIPAA and applicable state law.
  • Establishing your own internal policies and procedures for handling PHI, breach response, and patient rights requests.
  • Reporting any suspected security incidents or breaches involving PHI in your account to CompanyOn promptly.
  • Using the platform's communication features appropriately — for example, not transmitting PHI through unencrypted email channels.

Business Associate Agreement (BAA)

If you are a HIPAA-covered entity and CompanyOn will handle PHI on your behalf, we will execute a Business Associate Agreement (BAA) with you. The BAA formalizes the obligations of both parties under HIPAA and complements these Terms.

To request a copy of our BAA or to start the signing process, contact us at [email protected] with the subject line "BAA Request". We'll respond within 2 business days with the BAA template and next steps.

What CompanyOn Does Not Do

To set clear expectations, here are things we explicitly do not do with PHI in your account:

  • We do not use your PHI to train AI or machine learning models for purposes outside of features you have explicitly enabled.
  • We do not sell, rent, or share PHI with marketers, data brokers, or any third party.
  • We do not access patient charts or PHI in normal operations — only with your explicit support request, and only by authorized senior staff.
  • We do not hand over PHI to law enforcement without a valid court order, and we will inform you of any such request unless legally prohibited.

HIPAA, PIPEDA, and GDPR Alignment

CompanyOn operates primarily under Canadian law and serves customers in both Canada and the United States. Our security controls, data handling practices, and processes are designed to align with:

  • HIPAA — Health Insurance Portability and Accountability Act (US)
  • PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)
  • GDPR — General Data Protection Regulation (EU, where applicable)

Where these regulations differ, we apply the more protective standard. Our Privacy Policy and Terms of Service provide additional detail on data handling and your rights.

Important Legal Disclaimer This HIPAA Policy is provided for informational purposes and to summarize CompanyOn's approach to supporting your HIPAA compliance. It is not legal advice and is not a substitute for advice from a qualified healthcare privacy attorney. The execution of a BAA, your own internal policies, and your operational practices remain essential components of HIPAA compliance for your organization.

Reporting a Concern

If you believe PHI in your CompanyOn account has been accessed or used inappropriately, or if you have observed a security issue with the platform, contact us immediately at [email protected] with the subject line "Security Concern". We take every report seriously and will respond promptly.

Changes to This Policy

CompanyOn may update this HIPAA Policy as the platform evolves and as regulatory guidance changes. We'll notify account owners about significant changes by email or via a prominent notice in the application.

Questions about this policy?

We're happy to help. Reach out anytime at [email protected]