HIPAA Compliance Statement

Last updated: June 2026

TRAX CRM is built to support covered entities in meeting their obligations under the Health Insurance Portability and Accountability Act (HIPAA). This statement summarizes the administrative, physical, and technical safeguards we apply to Protected Health Information (PHI).

Business Associate Role

TRAX serves as a Business Associate to subscribing facilities and enters into a Business Associate Agreement (BAA) that defines our responsibilities for safeguarding PHI, reporting incidents, and supporting individuals’ rights.

Technical Safeguards

  • Encryption of PHI in transit (TLS) and at rest (256-bit AES).
  • End-to-end encryption for TRAX Connect clinical messaging and calls, so the server never sees decrypted content.
  • Role-based access control enforcing the minimum-necessary standard.
  • Tamper-evident, Ed25519-signed audit trail attributing every data write and secure connection.
  • Automatic session controls and authenticated API access.

Administrative Safeguards

We maintain documented security policies, workforce access reviews, incident-response procedures, and ongoing risk assessment aligned with the HIPAA Security Rule.

Physical Safeguards

PHI is hosted in audited, access-controlled cloud infrastructure with redundancy and monitored physical security maintained by our infrastructure providers under their own compliance certifications.

Breach Notification

In the event of a breach of unsecured PHI, TRAX will notify affected facilities without unreasonable delay and in accordance with the timelines and requirements of the HIPAA Breach Notification Rule.

Your Rights & Minimum Necessary

Access to PHI is restricted to the minimum necessary for each user’s role. Individuals may exercise their HIPAA rights — including access and amendment — through the facility that maintains their records.

Contact Our Privacy Officer

To request a BAA or raise a compliance concern, contact compliance@traxs.dev.