HIPAA Compliance

1) Overview

PhoneixRise Interactive Pvt. Ltd. (“we”, “us”, or “our”) provides design, development, and digital marketing solutions for healthcare organizations. For U.S. clients handling patient data, we support configurations that align with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We act as a Business Associate when we receive or process Protected Health Information (PHI) on behalf of covered entities and will execute a Business Associate Agreement (BAA) for eligible services.

2) Scope of HIPAA Services

Our HIPAA-aligned offerings include secure web development, patient intake forms, hosting consultation, and integrations with HIPAA-ready vendors. These are specifically designed for healthcare providers, hospitals, telemedicine platforms, and clinics serving U.S. patients.

• HIPAA-ready forms and consent mechanisms
• Secure data handling workflows for PHI
• Encryption and role-based access control
• Signed BAAs with appropriate hosting and email vendors

3) Our Responsibilities as a Business Associate

When a BAA is in place, we:

• Use and disclose PHI only as permitted by the agreement and the client’s instructions.
• Implement administrative, technical, and physical safeguards per 45 CFR §164.308–316.
• Report any unauthorized access or security incidents involving PHI without unreasonable delay.
• Ensure that our subcontractors (if any) with PHI access are bound by equivalent BAA obligations.
• Cooperate in required audits and breach investigations.

4) Client Responsibilities

• Identify which systems or forms collect PHI and ensure they are within the HIPAA scope.
• Refrain from sending PHI through unsecured or non-HIPAA-enabled features (e.g., basic contact forms, chatbots, or public email).
• Sign and maintain an active BAA before sharing any PHI.
• Train authorized staff on HIPAA privacy and security obligations.

5) Safeguards Implemented

• Administrative: BAAs, internal access policies, employee training, vendor due diligence, and incident response procedures.
• Technical: data encryption in transit (TLS 1.2+), access logs, firewalls, intrusion monitoring, and secure credential management.
• Physical: secured workstations, data center controls (via hosting partners), and restricted access to production environments.

6) Subprocessors & Vendors

We maintain contracts (and BAAs where applicable) with subprocessors supporting HIPAA-in-scope services such as hosting, database management, analytics, and email systems. A current list of approved HIPAA-related vendors can be provided upon request.

7) Breach Notification

In the event of a data breach or unauthorized disclosure of PHI within our systems or subprocessors, we will notify the affected client(s) promptly and assist with any investigation, documentation, and compliance requirements under 45 CFR §164.404–408.

8) Limitations

While we take extensive steps to maintain HIPAA-aligned safeguards, ultimate compliance also depends on the client’s proper configuration, staff practices, and adherence to signed BAAs. We are not responsible for data transmitted or stored outside of agreed HIPAA-in-scope environments.