Need Help? (888) 575-9159

Privacy Policy & HIPAA Notice of Privacy Practices

Last updated: September 2, 2025

Our Commitment to Privacy

At HIPAA Certify, we understand the critical importance of data privacy and security, especially in healthcare. This privacy policy explains how our HIPAA Website Security Checker handles your information and serves as our Notice of Privacy Practices in compliance with HIPAA regulations.

HIPAA Notice of Privacy Practices

Our HIPAA Compliance Commitment

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and 45 CFR § 164.520, this notice describes how health information about you may be used and disclosed and how you can get access to this information.

Protected Health Information (PHI)

We do not collect, store, or process Protected Health Information (PHI) as defined under HIPAA. Our HIPAA Website Security Checker tool:

  • Only scans publicly accessible website technical configurations
  • Does not access patient records, medical databases, or health information systems
  • Does not collect names, dates of birth, Social Security numbers, medical record numbers, or other PHI identifiers
  • Operates as a technical security assessment tool, not a healthcare application

Business Associate Relationships

If you are a HIPAA covered entity using our scanning service:

  • We can serve as your Business Associate for website security assessments upon execution of a Business Associate Agreement (BAA)
  • We will comply with all applicable HIPAA safeguards (Administrative, Physical, and Technical)
  • We maintain policies and procedures consistent with HIPAA requirements
  • Our staff receives regular HIPAA privacy and security training

Uses and Disclosures

We may use and disclose your information for the following purposes:

  • Security Assessment: To perform technical security scans of your websites
  • Report Generation: To create and deliver HIPAA compliance reports
  • Communication: To respond to your inquiries and provide support
  • Legal Requirements: When required by law or court order

Individual Rights Under HIPAA

Although we do not store PHI, you have the following rights regarding any information we process:

  • Right to Notice: You have the right to receive this notice
  • Right to Request Restrictions: You may request restrictions on how we use your information
  • Right to Access: You may request access to any information we have about you
  • Right to Amendment: You may request amendments to incorrect information
  • Right to Accounting: You may request an accounting of disclosures
  • Right to File Complaints: You may file complaints with us or the Department of Health and Human Services

Minimum Necessary Standard

We adhere to the HIPAA minimum necessary standard by:

  • Collecting only the website URL and technical data necessary for security scanning
  • Limiting access to information on a need-to-know basis
  • Implementing role-based access controls
  • Regularly reviewing and updating our data collection practices

Security Safeguards

We implement comprehensive HIPAA-compliant safeguards:

  • Administrative Safeguards: Security policies, training, access management, incident response procedures
  • Physical Safeguards: Secure data centers, workstation controls, device and media controls
  • Technical Safeguards: Access controls, audit logs, integrity controls, transmission security

Breach Notification

In the unlikely event of a security incident involving any information:

  • We will investigate and contain the incident immediately
  • Affected individuals will be notified within 60 days as required by HIPAA
  • We will cooperate fully with any covered entity's breach notification obligations
  • Incident details will be documented and reported as required by law

Information We Collect

Website Scanning

  • Website URLs: You provide website URLs for security scanning
  • Technical Data: We temporarily collect technical information about scanned websites (SSL certificates, headers, etc.)
  • Scan Results: Security findings and compliance assessments

Report Delivery

  • Email Addresses: When you request a report download, we collect your email address
  • Usage Data: Basic analytics about tool usage (anonymized)

How We Use Your Information

  • Perform security scans of your specified websites
  • Generate and deliver compliance reports
  • Provide customer support when requested
  • Send occasional HIPAA compliance updates (opt-out available)
  • Improve our scanning tools and services

Data Storage and Security

No Database Storage

We do not store your personal information in databases. This is a deliberate security decision to minimize data breach risks and comply with HIPAA's data minimization principles.

Temporary Processing

  • Scan data is processed temporarily and deleted immediately after report delivery
  • Email addresses are used only for report delivery and then discarded from our servers
  • All temporary files are automatically deleted within 1 hour

Security Measures

  • HTTPS encryption for all data transmission
  • Secure session management
  • CSRF protection and input validation
  • Rate limiting to prevent abuse
  • Regular security audits of our systems

Third-Party Services

Email Delivery

We use Postmark to deliver your compliance reports. Your email address is transmitted securely to Postmark for delivery purposes only. View Postmark's Privacy Policy.

Analytics

We may use anonymized analytics to understand tool usage patterns. No personally identifiable information is shared with analytics providers.

Your Rights

Because we don't store your personal data in databases:

  • Data Deletion: Your data is automatically deleted after processing
  • Data Access: No persistent data exists to access
  • Data Portability: You receive your compliance report via email
  • Opt-out: Contact us to unsubscribe from communications

Cookies and Tracking

  • Session Cookies: Essential for tool functionality (automatically deleted when you close your browser)
  • Security Cookies: CSRF protection and rate limiting
  • No Tracking: We do not use persistent tracking cookies or third-party tracking scripts

Data Retention

We practice data minimization in compliance with HIPAA principles:

  • Scan data: Deleted immediately after report generation
  • Email addresses: Used for delivery only, not stored
  • Session data: Expires within 24 hours
  • Temporary files: Auto-deleted within 1 hour

Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

International Users

Our services are hosted in the United States. By using our tool, you consent to the transfer of your data to the United States for processing.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Changes will be posted on this page with an updated "last modified" date.

Contact Us

If you have questions about this privacy policy, our HIPAA compliance, or our data practices:

Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

You will not be retaliated against for filing a complaint.

Compliance

This privacy policy and Notice of Privacy Practices complies with:

  • HIPAA Privacy Rule (45 CFR § 164.520)
  • HIPAA Security Rule (45 CFR § 164.306-318)
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • Other applicable federal and state privacy regulations

Our data minimization approach exceeds most privacy requirements and demonstrates our commitment to protecting sensitive information.