Important

1. Our Role Under HIPAA

SovaCare Health is a Business Associate (BA) under the Health Insurance Portability and Accountability Act (HIPAA). We:

• Create, receive, maintain, and transmit Protected Health Information (PHI) on your behalf
• Comply with HIPAA Security Rule (45 CFR §§ 164.300–320)
• Follow the Privacy Rule (45 CFR §§ 164.500–508)
• Execute a Business Associate Agreement with your organization

2. PHI We Handle

SovaCare may access the following types of PHI:

• Patient demographics (name, DOB, contact info)
• Medical history (diagnoses, medications, allergies, procedures)
• Encounter records and clinical notes
• Laboratory and radiology results
• Insurance information
• Consent and authorization records

3. Permitted Uses and Disclosures

SovaCare uses and discloses PHI only as permitted by:

• The Business Associate Agreement with your organization
• Your written instructions
• HIPAA law (e.g., for treatment, payment, operations)

SovaCare does NOT:

• Use PHI for marketing or fundraising
• Sell PHI to third parties
• Use PHI for purposes other than those specified in the BAA

4. Safeguards

SovaCare implements comprehensive security measures to protect PHI:

Administrative

• Workforce security policies and access controls
• Information access management (role-based access)
• Security awareness training for all staff
• Incident response procedures

Physical

• Data centers in AWS HIPAA-compliant regions
• Restricted physical access to servers
• Environmental controls (fire suppression, HVAC)

Technical

• Encryption in transit (TLS 1.2+)
• Encryption at rest (AES-256)
• Audit logging and monitoring
• Multi-factor authentication
• Regular penetration testing and vulnerability assessments

5. Subcontractors

SovaCare uses the following subcontractors to support the Service:

• AWS: Cloud infrastructure (HIPAA-aligned)
• Stripe: Payment processing (PCI-DSS compliant)
• Google Analytics: Usage analytics (anonymized, HIPAA-compliant)

All subcontractors execute Business Associate Agreements and comply with HIPAA.

6. Patient Rights

Under HIPAA, patients have the right to:

• Access: Request and obtain a copy of their PHI in their medical record
• Amendment: Request corrections to inaccurate or incomplete PHI
• Accounting of Disclosures: Request a list of who has accessed their records
• Restrictions: Request limits on uses and disclosures
• Confidential Communication: Request alternative communication methods

Patients should direct these requests to your clinic, not SovaCare. Your clinic will coordinate with us as needed.

7. Breach Notification

If a breach of unsecured PHI occurs:

• SovaCare will notify your clinic without unreasonable delay (typically within 24 hours)
• We will provide details of the breach, affected individuals, and remediation steps
• Your clinic is responsible for notifying affected patients and regulators as required by law

For breach inquiries, contact: admin@sovacare.health

8. Audit Logging

SovaCare maintains comprehensive audit logs of:

• All PHI access (user, time, record accessed)
• Modifications and deletions
• User login and logout events
• System events and errors

Audit logs are retained for 7 years per HIPAA requirements. Your clinic can request audit reports at any time.

9. Data Retention

SovaCare retains PHI according to your clinic's data retention policy and applicable law:

• Patient records: Retained during active relationship and per your retention policy
• Audit logs: Retained for 7 years (HIPAA requirement)
• Backup data: Retained per disaster recovery policy (typically 30 days)

Upon clinic request or contract termination, SovaCare will delete or return PHI as specified in the BAA.

10. Business Associate Agreement

A Business Associate Agreement must be executed before SovaCare handles any PHI. The BAA specifies:

• Permitted uses and disclosures of PHI
• Security and privacy obligations
• Breach notification procedures
• Data return and destruction requirements
• Audit and compliance procedures

For a copy of the BAA, contact: admin@sovacare.health

11. Regulatory Compliance

SovaCare complies with:

• HIPAA Privacy Rule (45 CFR Part 164)
• HIPAA Security Rule (45 CFR Part 164)
• HIPAA Breach Notification Rule (45 CFR Part 164)
• State privacy and healthcare laws (CA, NY, etc.)
• GDPR (for EU-based users and data)

12. Questions and Complaints

For questions about this Notice or to file a complaint:

13. Effective Date

This Notice is effective as of January 2025 and applies to all PHI processed by SovaCare.