NewGet personalized health recommendationsLearn More

Trust & Compliance

HIPAA Compliance

Last updated: April 1, 2026

Protecting your health information is the foundation of everything we do. This page explains how Attunio meets its obligations under HIPAA and the safeguards we have in place to keep your protected health information private and secure.

1. Our commitment to HIPAA

Attunio is built from the ground up to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. We treat protected health information (PHI) as the most sensitive data we hold, and every system, process, and vendor relationship is designed around keeping it private and secure.

As a covered entity for the clinical services we provide, we follow the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in full.

2. Business Associate Agreements

Every third-party vendor that may access PHI on our behalf — including our hosting, messaging, video, and analytics providers — operates under a signed Business Associate Agreement (BAA). These agreements legally bind our partners to the same standards of confidentiality and security that we hold ourselves to.

If your organization requires a BAA with Attunio, contact compliance@attunio.co.

3. Administrative safeguards

  • Designated Privacy Officer and Security Officer responsible for our HIPAA program.
  • Mandatory HIPAA training for all workforce members at onboarding and annually.
  • Role-based access controls — staff can only access the minimum PHI necessary for their job.
  • Documented policies for sanctions, incident response, and contingency planning.
  • Regular risk assessments and internal audits of access logs.

4. Technical safeguards

  • Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256).
  • Multi-factor authentication required for all staff and clinician accounts.
  • Automatic session timeouts and audit logging of all access to PHI.
  • Continuous monitoring, intrusion detection, and vulnerability scanning.

5. Physical safeguards

Our infrastructure runs in SOC 2 Type II and ISO 27001 certified data centers with 24/7 physical security, biometric access controls, and environmental protections. Attunio staff do not store PHI on local devices, and all company hardware is encrypted and centrally managed.

6. Your rights under HIPAA

As a patient, you have the right to:

  • Access and obtain a copy of your medical records.
  • Request corrections to your health information.
  • Receive an accounting of certain disclosures of your PHI.
  • Request restrictions on how your information is used or shared.
  • Receive our Notice of Privacy Practices.
  • File a complaint if you believe your privacy rights have been violated.

To exercise any of these rights, contact privacy@attunio.co.

7. Breach notification

In the unlikely event of a breach involving unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and (where required) the media, in accordance with the HIPAA Breach Notification Rule and applicable state laws. Notifications will be made without unreasonable delay and no later than 60 days after discovery.

8. Reporting a concern

If you have a question or concern about how Attunio handles PHI, or wish to report a potential violation, please contact our Privacy Officer at privacy@attunio.co. You may also file a complaint directly with the HHS Office for Civil Rights. We will never retaliate against anyone for filing a complaint in good faith.