HIPAA Notice
Last updated: July 1, 2026. This HIPAA Notice describes PatientTrac’s HIPAA posture for customers and prospects. It is not a covered health care provider’s Notice of Privacy Practices and does not replace the notice that a physician practice, surgery center, hospital, clinic, health plan, or other covered entity must provide to its patients or members.
PatientTrac’s role
PatientTrac provides software and technology services. When PatientTrac creates, receives, maintains, or transmits PHI on behalf of a HIPAA-regulated customer, PatientTrac generally acts as a business associate or business-associate subcontractor. PatientTrac’s HIPAA obligations are established by applicable law and the signed BAA.
Permitted uses and disclosures
PatientTrac uses and discloses PHI only as permitted by the BAA, the service agreement, customer configuration and instructions, and applicable law. Common permitted purposes may include hosting, support, security, audit logging, clinical documentation workflows, intake, messaging, interoperability, revenue-cycle workflows, and customer-directed data export.
PatientTrac applies a minimum-necessary posture where applicable and does not sell PHI.
Individual rights and provider notices
Patients and members generally exercise HIPAA rights — such as access, amendment, restrictions, confidential communications, or accounting of disclosures — through their health care provider, health plan, or other covered entity. PatientTrac supports customer-directed access, amendment, ROI, accounting-of-disclosures, C-CDA, and EHI-export workflows when required by contract.
Safeguards for ePHI
PatientTrac’s platform is designed with administrative, technical, and operational safeguards for ePHI, including organization-level tenant isolation, Row-Level Security, role-based access, TOTP multi-factor authentication, server-side API keys, audit logging, and hash-chained PHI audit events where applicable. Customers remain responsible for configuring users, roles, policies, and local workflows appropriately.
Business Associate Agreements
A BAA is required when a HIPAA-regulated customer uses PatientTrac to create, receive, maintain, or transmit PHI. PatientTrac’s BAA addresses permitted uses and disclosures, safeguards, reporting, subcontractors, access/amendment/accounting support, availability to HHS where required, termination obligations, and other HIPAA-required provisions.
Security incidents and breach response
PatientTrac maintains processes to detect, investigate, document, and respond to security events. If PatientTrac determines that an incident triggers contractual or legal notification obligations, PatientTrac will notify affected customers according to the applicable BAA and law.
HIPAA and AI
PatientTrac AI features are designed to operate server-side. AI outputs are assistive drafts, summaries, suggestions, flags, or educational support for review by authorized professionals. AI does not replace clinician review and should not be used as an autonomous diagnostic, treatment, prescribing, coding, or reimbursement determination.
HIPAA contact
HIPAA and BAA inquiries may be sent to privacy@patienttrac.com or submitted through the Request a BAA page. Do not submit PHI through public website forms.