Zavio is designed to help healthcare organizations operate in compliance with the Health Insurance Portability and Accountability Act (HIPAA). This page outlines our commitments and responsibilities as a Business Associate.
1. Our Role Under HIPAA
Zavio acts as a Business Associate (BA) under HIPAA when we process Protected Health Information (PHI) on behalf of healthcare organizations that are Covered Entities (CE) or other Business Associates. We do not independently determine the purposes and means of processing PHI — we do so only under the direction of our customers.
2. Business Associate Agreement (BAA)
Before any PHI is processed through Zavio, a signed Business Associate Agreement must be in place between Zavio and your organization. The BAA governs how we:
- Use and disclose PHI only as permitted by the agreement and HIPAA
- Implement appropriate safeguards to protect PHI
- Report breaches of unsecured PHI to the Covered Entity
- Ensure subcontractors agree to the same restrictions
- Return or destroy PHI upon termination of the agreement
To request a BAA, contact hello@zaviocare.com.
3. Administrative Safeguards
- Designated HIPAA Security Officer responsible for compliance oversight
- Workforce training on HIPAA requirements and PHI handling
- Access management policies — minimum necessary access principle
- Regular risk assessments and security evaluations
- Incident response and breach notification procedures
- Vendor management — all subprocessors with PHI access sign BAAs
4. Physical Safeguards
- Data hosted in SOC 2 Type II certified data centers
- Physical access controls at all facilities handling PHI
- Workstation use policies for all personnel accessing PHI
- Secure media disposal procedures
5. Technical Safeguards
- Encryption in transit: TLS 1.2+ for all data transmission
- Encryption at rest: AES-256 encryption for all stored PHI
- Access controls: Role-based access with unique user IDs and authentication
- Audit logs: Comprehensive logging of all PHI access and modifications
- Automatic logoff: Session timeouts to prevent unauthorized access
- Data integrity: Mechanisms to ensure PHI is not improperly altered or destroyed
6. Breach Notification
In the event of a breach of unsecured PHI, Zavio will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery, as required by the HIPAA Breach Notification Rule. Notification will include the information required by 45 CFR § 164.410.
7. Individual Rights
Zavio will support Covered Entities in fulfilling individuals' rights under HIPAA, including:
- Right of access to PHI (45 CFR § 164.524)
- Right to amendment of PHI (45 CFR § 164.526)
- Right to an accounting of disclosures (45 CFR § 164.528)
- Right to request restrictions on uses and disclosures
8. Subcontractors & Cloud Services
Zavio uses trusted cloud infrastructure providers (including Cloudflare) that maintain appropriate security certifications. All subcontractors with access to PHI are required to sign Business Associate Agreements and maintain equivalent safeguards.
9. Contact Our Privacy Officer
For HIPAA-related questions, BAA requests, or to report a privacy concern:
Zavio — HIPAA Privacy Officer
Email: hello@zaviocare.com