HIPAA Compliance

RatifiedRx operates as a Business Associate (BA) under the Health Insurance Portability and Accountability Act (HIPAA). We are not a Covered Entity. We process Protected Health Information (PHI) on behalf of covered entities — such as hospitals, clinics, physician practices, and pharmacies — under signed Business Associate Agreements. We do not independently determine the purposes or means of PHI processing; that authority rests with the covered entity.

A Business Associate Agreement is a legally required contract under HIPAA that establishes the permitted uses and disclosures of PHI by a business associate on behalf of a covered entity. Before any PHI is transmitted to or processed by RatifiedRx, your organization must execute a BAA with us. To obtain a BAA, contact team@ratifiedrx.com. Using RatifiedRx to process PHI without an executed BAA is prohibited.

In the course of processing prior authorization requests, RatifiedRx may handle the following categories of PHI on behalf of covered entities: patient name and date of birth; insurance member ID and group number; diagnosis codes (ICD-10); procedure and medication information; clinical notes and supporting documentation submitted by the covered entity. PHI is accessed and used solely to complete prior authorization requests as directed by the covered entity.

RatifiedRx implements administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These include: encryption of PHI at rest and in transit using industry-standard protocols; role-based access controls limiting PHI access to personnel who require it; audit logging of PHI access and processing events; regular risk assessments and workforce security training; and physical security controls for infrastructure hosting PHI.

PHI processed through RatifiedRx is not retained beyond the period necessary to complete the prior authorization transaction. Upon completion, PHI is deleted in accordance with the terms of the applicable Business Associate Agreement. RatifiedRx does not use PHI for secondary purposes such as product improvement, analytics, or marketing.

In the event of a discovered breach of unsecured PHI, RatifiedRx will notify affected covered entities without unreasonable delay and in no case later than 60 calendar days after discovery, as required by 45 CFR §164.410. Notification will include the identification of affected individuals (to the extent known), a description of the PHI involved, steps individuals can take to protect themselves, and steps RatifiedRx is taking to investigate and mitigate the breach.

Where RatifiedRx engages subcontractors who will have access to PHI (for example, cloud infrastructure providers), we require those subcontractors to execute Business Associate Agreements with terms that provide equivalent protections to those required of RatifiedRx under HIPAA. We remain responsible for the acts and omissions of our subcontractors to the extent required by law.

As a covered entity using RatifiedRx, your organization remains responsible for fulfilling its own HIPAA obligations, including providing patients with your Notice of Privacy Practices, obtaining required authorizations, and ensuring that PHI transmitted to RatifiedRx is limited to the minimum necessary for the prior authorization purpose. RatifiedRx is a business associate tool — it does not fulfill your organization's direct HIPAA obligations to patients.

We may update this HIPAA Compliance statement as our practices evolve or as regulations change. Material updates will be reflected in the "Last updated" date at the top of this page. Continued use of our services following an update constitutes acceptance of the revised statement.

For questions about our HIPAA compliance practices, to request a Business Associate Agreement, or to report a potential security concern, contact us at team@ratifiedrx.com or by mail at RatifiedRx, 12 Main St. Brewster NY 10509.