HIPAA Compliance

We are proud to help doctors, medical practices, hospitals, and covered entities, and health care business associates of all sizes protect PHI with end-to-end-encryption. Our secure design meets and exceeds HHS Guidance which recommends specific encryption processes, such as NIST SP 800-111 and NIST SP 800-52. This means that when you use Syfr, PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals. Even we cannot access PHI. To learn how we protect health information (and other sensitive information), see our security whitepaper. In just a few clicks, you can enable secure patient communications with the assurance of our BAA below.

Business Associate Agreement

This HIPAA Business Associate Agreement (“BAA”) is entered into between Syfr Inc. and (“Syfr”, “we”, “us” and/or “our”) and the customer’s organization (“Customer”), and supplements, amends and is incorporated into the Terms of Service.

1. Definitions

The following have the definitions given under the Health Information Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended (“HIPAA”): (a) Business Associate; (b) Breach; (c) Covered Entity (d) Protected Health Information (PHI); (e) Security Incident; and (f) encryption.

“E2EE Data” means information which meets all the following criteria: (a) it is secured by encryption (b) we are never provided the associated encryption key(s). This structure may also be known as end-to-end encryption (E2EE) or a zero-knowledge system.

“E2EE Subject Data” means E2EE Data where said information is PHI.

2. Applicability

This BAA applies only to the extent (a) Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit E2EE Subject Data, (b) we, as a result, are deemed to be acting as a Business Associate or Subcontractor of Customer, and (c) we, as a result, are required to comply with HIPAA law. Furthermore, for this BAA to be valid and effective: (a) you represent and warrant that you have the full legal authority to bind Customer to this BAA; (b) you, on behalf of Customer, complete an application for this BAA (instructions will be within the Customer Organization panel); (c) we approve your application; (d) Customer and Customer’s representatives shall not request that we use or disclose PHI in a manner impermissible under HIPAA.

3. Our Obligations

In accordance with 45 CFR § 164.308(b)(2) we will appropriately safeguard PHI as follows. In accordance with 45 CFR § 164.314(a)(2), we shall (a) Comply with the applicable requirements of HIPAA; (b) In accordance with CFR § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on our behalf comply with the applicable requirements of HIPAA by entering into a contract or other arrangement that complies with HIPAA; and (c) Report to Customer any security incident of which we become aware, including breaches of unsecured PHI as required by CFR § 164.410. Our report to Customer may be through email to address provided by Customer.

4. Term and Termination

This BAA shall be effective from the date the Applicability requirements above are fulfilled (the “BAA Term”). This BAA shall automatically and immediately terminate if (a) the Customer’s plan is terminated; (b) any of the Applicability requirements are unmet; or (c) Customer or any of its agents violate(d) any of the Terms of Service.