Last updated: June 1, 2026 · Draft — pending attorney review.

Draft notice. This HIPAA notice is a working draft and has not yet been reviewed by a licensed healthcare attorney. It is provided for transparency; the binding terms of our HIPAA relationship with any practice are set out in the executed Business Associate Agreement (BAA) between Denizen and that practice.

1. Our role under HIPAA

Denizen Healthcare is a Business Associate of the OB-GYN practices we partner with. Under the Health Insurance Portability and Accountability Act (HIPAA), each partner practice is a Covered Entity, and Denizen receives, creates, transmits, and stores Protected Health Information (PHI) on behalf of that practice for the limited purpose of providing patient follow-up services.

Our handling of PHI is governed by:

  • The HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
  • The HIPAA Security Rule (45 CFR Part 164, Subpart C)
  • The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)
  • The Business Associate Agreement (BAA) executed with each partner practice

2. Business Associate Agreements (BAAs)

We sign a HIPAA-compliant BAA with every practice before any PHI is exchanged. The BAA defines:

  • The permitted uses and disclosures of PHI
  • The safeguards we are obligated to maintain
  • The notification timeline if a breach occurs
  • Our subcontractor flow-down obligations
  • Termination and return-or-destroy obligations

A draft BAA is available for your healthcare attorney's review on request.

3. Safeguards we maintain

Administrative safeguards

  • Designated Privacy Officer and Security Officer
  • Workforce HIPAA training for every person with PHI access
  • Documented risk assessment per Security Rule requirements
  • Documented sanction policy for workforce violations
  • Documented incident response and breach notification procedures

Technical safeguards

  • Encryption at rest for all systems holding PHI
  • Encryption in transit (TLS 1.2+) for all PHI transmission
  • SFTP/SSH for daily report ingest from practice EHRs
  • Multi-factor authentication on every account with PHI access
  • Audit logging on all PHI access events
  • Role-based access control with least-privilege defaults

Physical safeguards

  • Cloud-hosted infrastructure with documented physical-security controls
  • Workforce device controls (full-disk encryption, automatic lock, MFA)

4. Subcontractor flow-down

Where we use third-party vendors that may access PHI in the course of providing our service, we maintain a BAA with each such vendor before any PHI is shared. Our vendor list is maintained internally and made available to practices on request.

5. Breach notification

In the event of a breach of unsecured PHI, Denizen will notify the affected practice without unreasonable delay and in no case later than 60 calendar days following discovery, in accordance with the HIPAA Breach Notification Rule and the terms of the applicable BAA. Our notification will include the information required by 45 CFR § 164.410.

6. Patient-facing communications

All outbound patient communications from Denizen Healthcare:

  • Are conducted on behalf of the practice that holds the patient relationship
  • Identify Denizen Healthcare as a care partner of the practice
  • Require documented patient consent obtained by the practice (TCPA-compliant)
  • Include opt-out language in all SMS communications (reply STOP)
  • Are scoped to the care-related purposes set out in the practice's BAA and MSA

Patients who opt out of SMS communications are flagged in the practice's next daily digest. Patient consent paperwork is retained by the practice for at least the duration of the patient relationship plus 4 years.

7. Patient rights

Patients have rights under HIPAA, including the right to access their PHI, request corrections, request restrictions, and request an accounting of disclosures. Patients should exercise these rights through their practice, not Denizen Healthcare directly — the practice is the Covered Entity and the holder of the patient record. Denizen will support practice responses to patient requests as required by the BAA.

8. Reporting concerns

If you believe Denizen Healthcare has improperly used or disclosed PHI, you may:

You will not be retaliated against for filing a complaint.

9. Contact

Privacy Officer
Denizen Healthcare
Tampa, Florida
hello@denizenhealthcare.com