Our role
Moxcares operates as a HIPAA Business Associate to the healthcare clinics ("Covered Entities") that use our platform. We process Protected Health Information ("PHI") only on behalf of, and under instructions from, our Covered Entity customers — pursuant to a signed Business Associate Agreement.
Safeguards
We implement HIPAA-required administrative, technical, and physical safeguards, including:
- AES-256 encryption for PHI at rest;
- TLS 1.3 encryption for PHI in transit;
- Role-based access controls and least-privilege provisioning;
- Complete audit logs of PHI access and modification;
- Workforce HIPAA training and background checks;
- Regular vulnerability scans and third-party penetration testing.
Subcontractors
We use vetted subprocessors to deliver the service. Each subprocessor is bound by a written agreement requiring HIPAA-equivalent protections. A current list is available on request.
For patients
If you are a patient, please direct requests about your health information to the clinic where you received care. They control your record and we cannot disclose it without their authorization.
Breach notification
In the event of a breach affecting PHI, we will notify the impacted Covered Entity without unreasonable delay and in accordance with the HIPAA Breach Notification Rule and the BAA.
Contact
Questions about HIPAA, BAAs, or security can be sent to security@moxcares.com.