HIPAA compliance statement
Aqurio is built for healthcare. When we process protected health information on behalf of our covered entity customers, we act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act, and we operate under a Business Associate Agreement (BAA) with every customer.
1. Our role under HIPAA
Aqurio, Inc. is a Business Associate as defined in 45 CFR § 160.103. Our customers are typically HIPAA-covered entities — health systems, physician groups, specialty clinics, FQHCs — or other Business Associates acting on their behalf. We process PHI only as needed to deliver the service to that customer, and only as permitted by the BAA.
2. BAA availability
Aqurio executes a Business Associate Agreement with every customer who will transmit PHI to or through our platform. The BAA covers permitted uses and disclosures, safeguards, subcontractor flow-down obligations, breach notification timelines, and termination handling, in alignment with 45 CFR §§ 164.502 and 164.504(e).
To request a copy of our standard BAA template before signing an order form, use our contact page.
3. PHI handling
- Minimum necessary — we collect and process the minimum PHI needed to deliver each workflow.
- Purpose limitation — PHI is used solely to provide and improve the service for the originating customer; we do not use PHI to train third-party foundation models or share it with unrelated customers.
- Data segmentation — each customer's data is logically segregated. Cross-tenant access by Aqurio personnel requires explicit, audited authorization.
- Retention & disposal — PHI is retained as specified in the BAA and order form; upon termination, returned or securely destroyed per NIST 800-88 guidelines.
4. Security controls
Our security program is aligned with HIPAA Security Rule (45 CFR § 164.308–.312), SOC 2 Type II, and HITRUST CSF requirements. Controls include:
- Encryption — TLS 1.2+ in transit, AES-256 at rest.
- Access management — role-based access, least privilege, MFA for all administrative accounts, periodic access reviews.
- Monitoring & logging — continuous logging of access to PHI, immutable audit trails, SIEM-based anomaly detection.
- Vulnerability management — regular vulnerability scans, annual external penetration testing, coordinated disclosure program.
- Workforce security — background checks where permitted, annual HIPAA and security training for all employees with PHI access.
- Business continuity — encrypted backups, disaster recovery testing, defined RPO/RTO targets per the MSA.
- Subcontractors — every subcontractor handling PHI executes a downstream BAA before access is granted.
5. Breach notification
In the event of a confirmed breach of unsecured PHI affecting a customer's data, Aqurio will notify the affected customer's designated security contact without unreasonable delay and no later than the timeframe specified in the BAA (typically within five business days, often sooner). Notice will include: nature of the breach, types of PHI involved, mitigation steps, and recommended customer actions. Aqurio assists the customer in fulfilling their HHS and patient notification obligations under 45 CFR §§ 164.404–164.410.
6. Individual rights support
Aqurio supports covered entity customers in responding to individual rights requests under 45 CFR § 164.524 (right to access), § 164.526 (right to amend), § 164.528 (accounting of disclosures), and § 164.522 (right to restrict). Customer-side request workflows are documented in the platform admin console.
7. Compliance certifications
- HIPAA & HITECH — Business Associate operating under signed BAA with every PHI-processing customer.
- SOC 2 Type II — annual audit covering Security, Availability, Confidentiality.
- HITRUST CSF — certification for the controls relevant to healthcare data.
- PCI DSS — for payment workflows.
- ISO 27001 — information security management.
To request the latest audit reports under NDA, use our contact page.
8. State privacy laws
In addition to HIPAA, we comply with applicable state privacy laws — California (CCPA/CPRA), Texas (HB 4), Washington (My Health My Data Act), and other state-level health data laws as they take effect. Our practices are designed to satisfy the most protective applicable standard.
9. Questions and contact
For HIPAA, BAA, or security questions, use our contact page. For reported security issues, see the responsible disclosure section on trust & security.
Need our BAA or HITRUST letter?
Email [email protected]. We respond within one business day with the executable BAA template and the certification documents under standard NDA terms.
Need security artifacts for your review? We have them ready.
SOC 2 Type II report, HITRUST certification letter, penetration test summary, BAA template — available under NDA in one business day.