HIPAA Notice
Last updated: May 31, 2026
1. Our Commitment to HIPAA Compliance
FullStackRx is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and their implementing regulations.
2. Protected Health Information (PHI)
PHI includes any individually identifiable health information that is created, received, maintained, or transmitted through our platform. This includes patient names, dates of birth, prescription details, medical histories, and any other information that can be linked to a specific individual.
3. How We Protect PHI
FullStackRx implements comprehensive safeguards to protect PHI: Administrative Safeguards: • Designated privacy and security officers • Workforce training on HIPAA requirements • Access management and authorization policies • Incident response and breach notification procedures Technical Safeguards: • AES-256 encryption for data at rest • TLS 1.2+ encryption for data in transit • Multi-factor authentication (MFA) • Role-based access controls (RBAC) • Comprehensive audit logging of all PHI access • Automatic session timeouts Physical Safeguards: • Secure cloud infrastructure with SOC 2 certified providers • Redundant data storage and backup systems • Access controls for data center facilities
4. Business Associate Agreements
FullStackRx will enter into Business Associate Agreements (BAAs) with covered entities as required by HIPAA. We also maintain BAAs with our subcontractors who may have access to PHI, including our cloud hosting providers, payment processors, and email service providers.
5. Minimum Necessary Standard
We apply the HIPAA minimum necessary standard, ensuring that access to PHI is limited to only the information needed to accomplish the intended purpose. Our role-based access control system enforces this principle at every level.
6. Patient Rights
Through our platform, patients maintain their HIPAA rights, including: • The right to access their health information • The right to request corrections to their records • The right to an accounting of disclosures • The right to request restrictions on certain uses • The right to receive confidential communications
7. Breach Notification
In the event of a breach of unsecured PHI, FullStackRx will notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule.
8. Data Retention and Disposal
PHI is retained in accordance with applicable laws and our data retention policies. When PHI is no longer needed, it is securely disposed of using industry-standard methods to prevent unauthorized access or recovery.
9. Audit and Monitoring
FullStackRx maintains comprehensive audit trails of all access to PHI. We conduct regular internal audits and risk assessments to ensure ongoing compliance with HIPAA requirements. Our platform logs all user actions related to PHI access, modification, and transmission.
10. Contact Information
For questions about our HIPAA practices, to report a potential security incident, or to request a Business Associate Agreement, please contact our Privacy Officer at info@fullstackrx.com.