Skip to content
HIPAACompliance

HIPAA Compliance at Marpass

Marpass is designed from the ground up to meet HIPAA requirements. Every feature, every workflow, and every data interaction is built with patient privacy and regulatory compliance at its core.

BAA
included
AWS
HIPAA-eligible
3+ yrs
retention
HIPAA
Compliant
Overview

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. Any organization that handles Protected Health Information (PHI) must implement physical, technical, and administrative safeguards.

As a healthcare technology platform serving adult family homes, Marpass is classified as a Business Associate under HIPAA. We take this responsibility seriously and have built comprehensive safeguards into every layer of our platform.

Our Safeguards

How Marpass Protects PHI

We implement the three categories of HIPAA safeguards across our entire platform.

Technical Safeguards

  • AES-256 encryption for all data at rest
  • TLS 1.2+ encryption for all data in transit
  • Unique user authentication for every account
  • Automatic session timeouts after inactivity
  • Role-based access controls (RBAC) with least-privilege
  • Complete audit logging of all PHI access and modifications
  • Encrypted database backups with geographic redundancy

Administrative Safeguards

  • Designated Security Officer and Privacy Officer
  • Regular workforce HIPAA training and certification
  • Documented security policies and procedures
  • Business Associate Agreements (BAAs) with all subprocessors
  • Incident response and breach notification procedures
  • Regular risk assessments and security audits
  • Workforce access management and termination procedures

Physical Safeguards

  • AWS HIPAA-eligible data centers covered by a SOC 2 Type II report
  • Multi-region data redundancy and disaster recovery
  • Physical access controls at all data center facilities
  • Environmental controls (fire, flood, power) at hosting facilities
  • Secure disposal of hardware containing PHI
  • No PHI stored on local devices or endpoints

Business Associate Agreement

Every Marpass account includes a Business Associate Agreement (BAA) at no additional cost. Our BAA outlines our obligations for protecting PHI, breach notification timelines, and data handling procedures. We also maintain BAAs with all of our subprocessors, including our cloud infrastructure and AI providers.

View our BAA

HIPAA-Compliant Subprocessors

We carefully select vendors that meet HIPAA requirements and maintain signed BAAs with each one.

Amazon Web Services (AWS)

Cloud infrastructure and data hosting

HIPAA-eligible services, SOC 2 Type II-audited

Anthropic (Claude AI)

AI-powered doctor order reading

Signed BAA, no data retention, PHI never used for training

Vercel

Application hosting and edge network

SOC 2 Type II-audited, HIPAA-aligned hosting

Breach Notification

In the unlikely event of a Breach of Unsecured PHI, Marpass follows the HIPAA Breach Notification Rule and applicable state breach-notification laws, including Florida's Information Protection Act (Fla. Stat. 501.171) and Washington's breach-notification statute (RCW 19.255). The strictest applicable timeline governs. Our incident response team is trained to contain, assess, and remediate security incidents quickly, and we work with covered-entity customers to meet HIPAA notification deadlines (45 CFR 164.410) and their state breach-notice obligations.

Your Rights Under HIPAA

Marpass supports covered entities in fulfilling their obligations to patients.

  • Right to access and obtain copies of health records
  • Right to request corrections to health information
  • Right to know who has accessed their health data
  • Right to request restrictions on how PHI is used
  • Right to receive breach notifications

HIPAA Compliance Questions?

Our compliance team is available to discuss our HIPAA practices, provide documentation, or address specific compliance concerns for your organization.

security[at]marpass.com

Ready to go HIPAA-compliant?

Every Marpass account includes a BAA, encryption, audit trails, and access controls out of the box. No extra fees.

Join the waitlist