HIPAA Compliance | NightingaleMD

Effective Date: February 12, 2026

HIPAA Compliant SOC 2 Type II Certified IAL-2 Identity Assurance

1. Our Commitment to HIPAA Compliance

NightingaleMD, Inc. is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI). As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Our Florence AI Voice Care Navigator platform is designed from the ground up with HIPAA compliance as a core architectural principle — not an afterthought.

2. Business Associate Agreements

NightingaleMD executes Business Associate Agreements (BAAs) with all covered entities before any PHI is processed through our platform. Our BAAs clearly define:

The permitted uses and disclosures of PHI
Safeguards we implement to prevent unauthorized use or disclosure
Our obligations to report breaches of unsecured PHI
Requirements for returning or destroying PHI upon termination
Our obligation to make PHI available to individuals who request access

3. Administrative Safeguards

Security Officer

A designated HIPAA Security Officer oversees all security policies, procedures, and compliance activities.

Workforce Training

All employees complete HIPAA training upon hire and annually thereafter, with role-specific training for those handling PHI.

Risk Assessments

Regular risk assessments identify potential vulnerabilities and inform our security management process.

Incident Response

Documented incident response procedures ensure rapid detection, containment, and notification of any security events.

Access Management

Role-based access controls ensure workforce members only access PHI necessary for their job functions.

Contingency Planning

Data backup, disaster recovery, and emergency mode operation plans ensure continuity of PHI protection.

4. Physical Safeguards

NightingaleMD's infrastructure is hosted in SOC 2 Type II certified data centers that maintain:

Facility access controls with biometric authentication
24/7 physical security monitoring and surveillance
Environmental controls (fire suppression, climate control, power redundancy)
Secure workstation policies for all employees accessing PHI
Device and media controls for proper disposal and re-use of electronic media

5. Technical Safeguards

Encryption: All PHI is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
Access Controls: Unique user identification, multi-factor authentication, and automatic session timeout.
Audit Controls: Comprehensive logging of all access to PHI, with automated monitoring and alerting.
Integrity Controls: Mechanisms to authenticate electronic PHI and protect against improper alteration or destruction.
Transmission Security: All data transmissions are encrypted and authenticated using industry-standard protocols.

6. FHIR and Interoperability Compliance

Our platform is built on FHIR R4 standards and is designed to comply with:

TEFCA: Aligned with the Trusted Exchange Framework and Common Agreement for nationwide health information exchange.
21st Century Cures Act: Designed to prevent information blocking and support patient access to their health data.
CMS Interoperability Rules: Compliant with CMS requirements for patient access APIs and provider directory APIs.
CMS Health Tech Ecosystem: NightingaleMD is a recognized CMS Early Adopter, committed to advancing interoperability in healthcare technology.

7. Breach Notification

In the event of a breach of unsecured PHI, NightingaleMD will:

Notify the affected covered entity without unreasonable delay and no later than 60 days after discovery
Provide all information required for the covered entity to fulfill its breach notification obligations
Cooperate fully with the covered entity's investigation and remediation efforts
Document all breaches and maintain records for a minimum of six years

8. Patient Rights Under HIPAA

NightingaleMD supports covered entities in fulfilling patients' rights under the HIPAA Privacy Rule, including:

Right to Access: Patients may request access to their PHI maintained by NightingaleMD on behalf of the covered entity.
Right to Amendment: Patients may request amendments to their PHI if they believe it is inaccurate or incomplete.
Right to an Accounting of Disclosures: Patients may request a list of certain disclosures of their PHI.
Right to Request Restrictions: Patients may request restrictions on certain uses and disclosures of their PHI.
Right to Confidential Communications: Patients may request that communications about their PHI be sent by alternative means or to alternative locations.

9. Ongoing Compliance

NightingaleMD maintains its HIPAA compliance through:

Annual HIPAA risk assessments and security audits
Regular review and update of policies and procedures
Continuous monitoring of regulatory changes and guidance from HHS
Third-party penetration testing and vulnerability assessments
SOC 2 Type II annual certification

10. Contact Our Privacy Officer

If you have questions about our HIPAA compliance practices, wish to report a potential security concern, or need to exercise your rights regarding PHI, please contact us:

NightingaleMD, Inc. — HIPAA Privacy Officer
Email: hello@nightingalemd.com
Website: www.nightingale.md