← Home Privacy PolicyTerms of ServiceHIPAA / BAA Security Contact legal
Legal · HIPAA

HIPAA, the BAA, and how we handle PHI.

Focus EHR is a HIPAA Business Associate. Every customer practice signs a Business Associate Agreement (BAA) before any Protected Health Information (PHI) touches our systems. This page explains what that means in practice.

Effective date · March 1, 2026  ·  Last updated · March 1, 2026

1. What we are, in HIPAA terms

Your practice is the Covered Entity. Focus is your Business Associate. Patients give their PHI to you — you use Focus to manage that data on their behalf.

We sign a Business Associate Agreement (BAA) with every paying customer before go-live. Our standard BAA is available for review during your sales process — and we'll redline yours if you have specific terms. Both parties' obligations are documented in plain language.

2. The administrative safeguards

  • Annual security risk analysis (HIPAA §164.308(a)(1)(ii)(A)) — last completed Q4 2025.
  • Workforce HIPAA training, annually + on hire.
  • Designated Privacy Officer and Security Officer (titles, not committees).
  • Sanction policy for workforce members who violate PHI handling rules.
  • Incident response plan with documented runbooks and tabletop exercises every six months.

3. The technical safeguards

  • Encryption — AES-256 at rest, TLS 1.3 in transit. Customer-managed keys available on Enterprise.
  • Access control — role-based (RBAC), least-privilege, with quarterly reviews.
  • Audit logs — every PHI access logged, immutable, retained 7 years, exportable to your SIEM.
  • Authentication — required MFA for all clinician accounts, SSO via SAML / OIDC, hardware-key support.
  • Session controls — automatic timeout, configurable per role.

4. The physical safeguards

  • PHI is hosted on AWS in HIPAA-eligible regions (us-east-1, us-west-2). AWS provides physical security of facilities.
  • Workforce devices are MDM-managed, full-disk encrypted, with remote wipe capability.
  • Office spaces with possible PHI exposure are badge-controlled and visitor-logged.

5. Sub-processors

We use a small number of sub-processors. Each is bound by terms equivalent to our BAA and is reviewed annually. The full list is published in our trust portal and updated within 30 days of any change. As of the effective date above, our sub-processors include AWS (hosting), Twilio (SMS), Mailgun (email), Datadog (monitoring), and Okta (workforce identity).

6. Breach notification

If we determine a breach of unsecured PHI has occurred, we will notify the affected Covered Entity within 5 business days of discovery — well inside the HIPAA-mandated 60-day window. Notification will include the timeline, scope, mitigation steps, and our root-cause analysis.

7. Your rights as a Covered Entity

  • You may audit our security controls annually with reasonable notice.
  • You may request our most recent SOC 2 Type II report and HITRUST certification at any time.
  • You may request return or destruction of PHI at the end of our relationship per the BAA.
  • You may direct us to make amendments, accounting of disclosures, or other PHI actions on behalf of your patients.

8. What we don't do with PHI

  • We do not use PHI to train AI models for any other customer or purpose.
  • We do not sell, rent, or otherwise disclose PHI to third parties for marketing or any other use.
  • We do not access PHI except to deliver our service or in response to a customer support request from you.

9. Get the BAA

To request our standard BAA for review, email legal@focusehr.com. We typically execute mutual BAAs within 3 business days.

Questions? Email legal@focusehr.com or write to Focus EHR, Inc., 600 Mission Street, 18th Floor, San Francisco, CA 94105.