HIPAA Compliance at Marpass
Marpass is designed from the ground up to meet HIPAA requirements. Every feature, every workflow, and every data interaction is built with patient privacy and regulatory compliance at its core.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. Any organization that handles Protected Health Information (PHI) must implement physical, technical, and administrative safeguards.
As a healthcare technology platform serving adult family homes, Marpass is classified as a Business Associate under HIPAA. We take this responsibility seriously and have built comprehensive safeguards into every layer of our platform.
How Marpass Protects PHI
We implement the three categories of HIPAA safeguards across our entire platform.
Technical Safeguards
- AES-256 encryption for all data at rest
- TLS 1.2+ encryption for all data in transit
- Unique user authentication for every account
- Automatic session timeouts after inactivity
- Role-based access controls (RBAC) with least-privilege
- Complete audit logging of all PHI access and modifications
- Encrypted database backups with geographic redundancy
Administrative Safeguards
- Designated Security Officer and Privacy Officer
- Regular workforce HIPAA training and certification
- Documented security policies and procedures
- Business Associate Agreements (BAAs) with all subprocessors
- Incident response and breach notification procedures
- Regular risk assessments and security audits
- Workforce access management and termination procedures
Physical Safeguards
- AWS HIPAA-eligible data centers covered by a SOC 2 Type II report
- Multi-region data redundancy and disaster recovery
- Physical access controls at all data center facilities
- Environmental controls (fire, flood, power) at hosting facilities
- Secure disposal of hardware containing PHI
- No PHI stored on local devices or endpoints
Business Associate Agreement
Every Marpass account includes a Business Associate Agreement (BAA) at no additional cost. Our BAA outlines our obligations for protecting PHI, breach notification timelines, and data handling procedures. We also maintain BAAs with all of our subprocessors, including our cloud infrastructure and AI providers.
View our BAAHIPAA-Compliant Subprocessors
We carefully select vendors that meet HIPAA requirements and maintain signed BAAs with each one.
Amazon Web Services (AWS)
Cloud infrastructure and data hosting
Anthropic (Claude AI)
AI-powered doctor order reading
Vercel
Application hosting and edge network
Breach Notification
In the unlikely event of a Breach of Unsecured PHI, Marpass follows the HIPAA Breach Notification Rule and applicable state breach-notification laws, including Florida's Information Protection Act (Fla. Stat. 501.171) and Washington's breach-notification statute (RCW 19.255). The strictest applicable timeline governs. Our incident response team is trained to contain, assess, and remediate security incidents quickly, and we work with covered-entity customers to meet HIPAA notification deadlines (45 CFR 164.410) and their state breach-notice obligations.
Your Rights Under HIPAA
Marpass supports covered entities in fulfilling their obligations to patients.
- Right to access and obtain copies of health records
- Right to request corrections to health information
- Right to know who has accessed their health data
- Right to request restrictions on how PHI is used
- Right to receive breach notifications
HIPAA Compliance Questions?
Our compliance team is available to discuss our HIPAA practices, provide documentation, or address specific compliance concerns for your organization.
security[at]marpass.comReady to go HIPAA-compliant?
Every Marpass account includes a BAA, encryption, audit trails, and access controls out of the box. No extra fees.
Join the waitlist