HIPAA Compliance Statement

Retaine is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

Business Associate Agreements

Retaine acts as a Business Associate under HIPAA. We execute a Business Associate Agreement (BAA) with every customer practice before any PHI is processed. Our BAA outlines our obligations regarding PHI use, disclosure, and protection.

PHI Handling Practices

PHI is never included in outbound SMS, email, or voicemail messages. All patient communications contain only general reminders and secure links. Treatment plan details are accessible only through our HIPAA-compliant patient portal, which uses single-use, time-limited tokens. Portal links expire after 72 hours and cannot be reused.

Encryption

• At rest: All data is encrypted using AES-256 encryption
• In transit: All communications use TLS 1.2 or higher
• Portal tokens: SHA-256 hashing with single-use enforcement

Access Controls

• Row-Level Security (RLS): Enforced at the database level via Supabase, ensuring practices can only access their own data
• Role-based access: Team members receive permissions appropriate to their role (admin, manager, staff)
• Audit logging: All data access and modifications are logged for compliance review
• Server-side only: All API routes that handle PHI execute server-side — no patient data is exposed to the browser

Data Retention & Deletion

Patient data is retained for the duration of the customer relationship. Upon account termination, all PHI is permanently deleted within 30 days. Practices may request immediate deletion of specific patient records at any time. Automated data purge procedures ensure no PHI persists beyond the retention period.

Requesting a BAA

To request a Business Associate Agreement or for any HIPAA-related inquiries, please contact our privacy team at privacy@retaine.com.