HIPAA Compliance

Effective Date: January 1, 2026

Relay Vault is committed to maintaining full compliance with the Health Insurance Portability and Accountability Act (HIPAA). As a Business Associate to healthcare organizations, insurance carriers, and TPAs, we implement comprehensive safeguards to protect Protected Health Information (PHI).

1. Our Role Under HIPAA

When you use Relay Vault to process healthcare-related data, we act as a Business Associate as defined by HIPAA. This means:

• We enter into Business Associate Agreements (BAAs) with all customers who process PHI through our platform
• We only use or disclose PHI as permitted by the BAA and as necessary to provide our services
• We maintain the same level of protection for PHI as required of Covered Entities
• We report any security incidents involving PHI as required by law

2. Administrative Safeguards

We implement comprehensive administrative safeguards:

• Security Officer: Designated security and privacy officers responsible for HIPAA compliance
• Workforce Training: All employees receive HIPAA training upon hire and annually thereafter
• Access Management: Documented procedures for granting, modifying, and revoking access to PHI
• Risk Analysis: Annual risk assessments to identify and address potential vulnerabilities
• Contingency Planning: Data backup, disaster recovery, and emergency mode operation plans
• Business Associate Management: Written agreements with all subcontractors who may access PHI

3. Physical Safeguards

Our infrastructure includes physical security measures:

• Facility Access Controls: Data centers with 24/7 security, biometric access, and surveillance
• Workstation Security: Policies for secure workstation use and encrypted devices
• Device Controls: Procedures for hardware and electronic media handling and disposal
• Environmental Controls: Fire suppression, temperature control, and power redundancy

4. Technical Safeguards

We employ robust technical controls to protect PHI:

• Access Controls: Unique user IDs, automatic session timeout, and encryption of PHI
• Audit Controls: Comprehensive logging of all access to systems containing PHI
• Integrity Controls: Mechanisms to verify PHI has not been improperly altered or destroyed
• Transmission Security: TLS 1.3 encryption for all PHI transmitted over networks
• Authentication: Multi-factor authentication required for accessing PHI

5. Privacy Rule Compliance

We adhere to HIPAA Privacy Rule requirements:

• Minimum Necessary: We only access, use, or disclose the minimum PHI necessary to accomplish the intended purpose
• Use Limitations: PHI is used only for purposes specified in the BAA
• No Unauthorized Disclosure: We do not sell, market, or share PHI without proper authorization
• Individual Rights: We support your ability to provide individuals access to their PHI

6. Breach Notification

In the event of a breach involving PHI:

• We will notify you within 24 hours of discovering a breach
• We will provide all information necessary for you to fulfill your breach notification obligations
• We will cooperate fully with any investigation and remediation efforts
• We will document the incident and our response in accordance with HIPAA requirements

7. AI and PHI

When our AI features process PHI, we maintain strict controls:

• PHI processed by AI remains within our secure, HIPAA-compliant infrastructure
• We do not use PHI to train AI models without explicit, HIPAA-compliant authorization
• All AI processing is logged and auditable
• De-identification capabilities are available for analytics use cases

8. Business Associate Agreement

We execute BAAs with all customers who process PHI. Our BAA includes:

• Permitted and required uses of PHI
• Obligations to safeguard PHI
• Breach notification procedures
• Termination and data return/destruction provisions
• Subcontractor requirements
• Audit and compliance verification rights

To request a BAA, please contact compliance@relayvault.ai.

9. Subcontractors

We maintain a list of subcontractors who may have access to PHI:

• All subcontractors are required to sign BAAs
• We conduct security assessments of all subcontractors
• Subcontractors are contractually obligated to maintain HIPAA compliance
• A current list of subcontractors is available upon request

10. Documentation & Retention

We maintain documentation required by HIPAA:

• Policies and procedures
• Risk assessments and security reviews
• Training records
• Business Associate Agreements
• Incident reports

All documentation is retained for a minimum of 6 years as required by HIPAA.

11. Contact Us

For questions about our HIPAA compliance program, to request a BAA, or to report a potential security incident: