HIPAA Compliance Statement
Last updated: June 2026
TRAX CRM is built to support covered entities in meeting their obligations under the Health Insurance Portability and Accountability Act (HIPAA). This statement summarizes the administrative, physical, and technical safeguards we apply to Protected Health Information (PHI).
Business Associate Role
TRAX serves as a Business Associate to subscribing facilities and enters into a Business Associate Agreement (BAA) that defines our responsibilities for safeguarding PHI, reporting incidents, and supporting individuals’ rights.
Technical Safeguards
- Encryption of PHI in transit (TLS) and at rest (256-bit AES).
- End-to-end encryption for TRAX Connect clinical messaging and calls, so the server never sees decrypted content.
- Role-based access control enforcing the minimum-necessary standard.
- Tamper-evident, Ed25519-signed audit trail attributing every data write and secure connection.
- Automatic session controls and authenticated API access.
Administrative Safeguards
We maintain documented security policies, workforce access reviews, incident-response procedures, and ongoing risk assessment aligned with the HIPAA Security Rule.
Physical Safeguards
PHI is hosted in audited, access-controlled cloud infrastructure with redundancy and monitored physical security maintained by our infrastructure providers under their own compliance certifications.
Breach Notification
In the event of a breach of unsecured PHI, TRAX will notify affected facilities without unreasonable delay and in accordance with the timelines and requirements of the HIPAA Breach Notification Rule.
Your Rights & Minimum Necessary
Access to PHI is restricted to the minimum necessary for each user’s role. Individuals may exercise their HIPAA rights — including access and amendment — through the facility that maintains their records.
Contact Our Privacy Officer
To request a BAA or raise a compliance concern, contact compliance@traxs.dev.