← Back to HomeVisitSyncVisitSync

HIPAA Compliance Statement

Last Updated: November 30, 2025

1. Commitment to Security

VisitSync is dedicated to maintaining the highest standards of data security and privacy. We recognize that our customers—clinical research sites and healthcare providers—are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In the context of HIPAA, VisitSync (operated by Ariel Rieumont) functions as a Business Associate. We have implemented a comprehensive security program designed to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI) that we process on your behalf.

2. The Shared Responsibility Model

HIPAA compliance is a shared responsibility between VisitSync (the Business Associate) and you (the Covered Entity). While we secure the underlying infrastructure and software, you retain responsibility for certain security aspects.

VisitSync's Responsibilities:
  • Physical security of cloud infrastructure (via AWS/Cloud Providers).
  • Network security and encryption (at rest and in transit).
  • Application-level access controls and audit logs.
  • Disaster recovery and database backups.
Your Responsibilities:
  • User access management (granting/revoking staff access).
  • Ensuring strong passwords and keeping credentials confidential.
  • Obtaining patient consent/authorization where required.
  • Configuring role-based permissions correctly within the app.

3. Technical Safeguards

We employ industry-standard technical measures to protect ePHI:

  • Data Encryption: All data is encrypted in transit using TLS 1.3 (banking-grade security) and at rest using AES-256 encryption.
  • Access Control: Strict logical separation of data ensures that one tenant cannot access another tenant's data.
  • Audit Trails: The system maintains detailed logs of user activities, including logins, data access, and modifications, available for your review.
  • Automatic Logoff: Sessions automatically time out after a period of inactivity to prevent unauthorized access.

4. Physical & Administrative Safeguards

VisitSync utilizes top-tier cloud infrastructure providers (such as Vercel and AWS) that maintain SOC 2 Type II certification. We do not maintain physical servers on our own premises.

  • Data Center Security: Our providers employ 24/7 onsite security, biometric access controls, and video surveillance.
  • Workforce Training: All VisitSync personnel undergo mandatory HIPAA security awareness training and confidentiality agreements.
  • Background Checks: We conduct screening of employees with potential access to sensitive data.
  • Incident Response: We maintain a documented Incident Response Plan to promptly detect, respond to, and report security incidents.

5. Business Associate Agreement (BAA)

We understand that a signed Business Associate Agreement (BAA) is a requirement for your compliance. VisitSync provides a standard BAA to all customers on paid subscription plans.

Important: You must execute a BAA with us before uploading any Patient Data to the platform.

To request a copy of our BAA for signature, please email us at the address provided in Section 7.

6. Breach Notification Policy

In the unlikely event of a breach of unsecured PHI, VisitSync will notify affected Covered Entities without unreasonable delay, and in no case later than the timeframe specified in our BAA (typically 60 days or fewer), consistent with 45 CFR § 164.410.

7. Contact & Security Reporting

For all matters regarding HIPAA compliance, security incidents, or to request a BAA, please use our central support channel.

Email: support@visitsync.app

*Please use the subject line: "HIPAA Compliance" or "Security Incident" to ensure priority routing.

Disclaimer: This document describes VisitSync's security posture and compliance features. It does not constitute legal advice. You should consult with your own legal counsel to ensure your organization's compliance with HIPAA and other applicable laws.