Skip to content

Compliance

HIPAA

Last updated: May 2026

The Health Insurance Portability and Accountability Act (HIPAA) sets the U.S. baseline for how protected health information (PHI) must be handled by healthcare organizations and the vendors that support them. Metadot Corporation operates products used by healthcare-adjacent teams, and we have built our security program so that customers who need to handle PHI can do so under a Business Associate Agreement.

Our HIPAA Posture

  • Safeguarding PHI. Customer data is encrypted in transit and at rest. Access to production systems is restricted, authenticated with multi-factor authentication, and logged.
  • Access controls. Within our products, account owners control which agents can view which records. End users can only see their own activity.
  • Administrative, physical, and technical safeguards. We align our controls with 45 CFR §§ 164.306, 164.308, 164.310, 164.312, and 164.314.
  • Subprocessors. Vendors that may handle PHI are required to commit, in writing, to equivalent safeguards.

Business Associate Agreement

Metadot has executed a Business Associate Agreement (BAA) with Amazon Web Services, our infrastructure provider. We will execute a BAA with eligible customers on the appropriate Metadot products. To request a BAA, contact compliance@metadot.com.

What Customers Are Responsible For

HIPAA compliance is a shared responsibility. Metadot provides the controls listed above; customers are responsible for using the product in a HIPAA-compliant way, including:

  • Limiting access to PHI to staff who need it for their role.
  • Configuring strong authentication and account hygiene.
  • Training their workforce on HIPAA requirements.
  • Executing a BAA with Metadot before storing PHI in the product.

Frequently Asked Questions

What is HIPAA?

HIPAA is a U.S. federal law that establishes rules for protecting the privacy and security of individuals' health information. It sets requirements for “covered entities” (such as healthcare providers and insurers) and for “business associates” (such as vendors that process PHI on their behalf).

What rights does HIPAA give patients?

Patients have the right to access their own health information, request corrections, learn how their data has been disclosed, and receive notifications in the event of a breach.

Who needs to be HIPAA compliant?

Covered entities and their business associates must comply with HIPAA. Organizations that are not in healthcare but that hold PHI on behalf of a covered entity also fall under the rules.

What counts as protected health information?

PHI is any individually identifiable health information held or transmitted by a covered entity or business associate — in any form, on paper, electronic, or spoken.

Is HIPAA “certified”?

There is no official government certification for HIPAA. Compliance is demonstrated through documented policies, technical controls, and the results of independent audits.

What safeguards does Metadot provide?

Encryption in transit and at rest, audited access controls, comprehensive logging, daily encrypted backups, 24/7 monitoring, background checks and confidentiality agreements for staff with access, and a signed BAA with our infrastructure provider.

How do I sign a BAA with Metadot?

Reach out to compliance@metadot.com with your account details and the product you intend to use.