Compliance
HIPAA Policy
Last updated: May 1, 2025
1. Our Commitment to HIPAA
Carewix Inc. ("Carewix") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. As a technology platform serving healthcare staffing agencies, Carewix functions as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities and their business associates.
2. What is Protected Health Information (PHI)?
PHI includes individually identifiable health information that relates to: • An individual's past, present, or future physical or mental health condition • The provision of health care to an individual • Past, present, or future payment for the provision of health care In the context of healthcare staffing, PHI may include worker medical information, immunization records, and health-related credential documentation.
3. Business Associate Agreements (BAAs)
Carewix executes Business Associate Agreements (BAAs) with all agency customers who use the platform to process PHI. A BAA is required before any PHI may be transmitted through or stored on the Carewix platform. To request a BAA, contact: compliance@carewix.com We will typically return a fully executed BAA within 2 business days.
4. How We Safeguard PHI
Carewix implements the following safeguards: Administrative Safeguards: • Designated HIPAA Privacy and Security Officers • Regular workforce training on HIPAA requirements • Access controls limiting PHI access to authorized personnel only • Regular risk assessments and gap analyses Physical Safeguards: • Data hosted on AWS (Amazon Web Services) in HIPAA-eligible services • Physical access controls at all data center facilities • Workstation and device security policies Technical Safeguards: • AES-256 encryption at rest for all stored data • TLS 1.2+ encryption in transit • Unique user identification and automatic logoff • Audit controls and access logs for all PHI access
5. Minimum Necessary Standard
Carewix applies the HIPAA Minimum Necessary Standard to all PHI access. Our platform is designed to ensure that users only access PHI that is necessary for their role. Agency administrators can configure role-based permissions to further restrict access within their organization.
6. Breach Notification
In the event of a security incident involving PHI, Carewix will: • Investigate the incident promptly • Notify affected Covered Entities within the timeframe required by HIPAA (no later than 60 days of discovery) • Cooperate fully with any regulatory investigations • Document and remediate the cause of the breach To report a suspected breach: security@carewix.com
7. Subcontractors
Carewix uses a limited number of subcontractors (sub-Business Associates) who may have access to PHI as part of providing the platform infrastructure. All subcontractors are required to sign HIPAA-compliant agreements and maintain equivalent safeguards. Our primary infrastructure provider is Amazon Web Services (AWS), which provides HIPAA-eligible services under a BAA.
8. Canadian Operations (PHIPA/PIPEDA)
For Canadian operations, Carewix also complies with the Personal Health Information Protection Act (PHIPA) in Ontario and the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level. Data residency options for Canadian customers are available on Enterprise plans.
9. Contact Our Compliance Team
For all HIPAA-related inquiries including BAA requests, compliance questions, and breach reporting: Compliance: compliance@carewix.com Security: security@carewix.com General: hello@carewix.com