Ironsail Pharma patient data handling

Ironsail Pharma patient data handling

Ordering through ImpetusRX routes patient information because compounded orders require patient details, a prescriber, and a SIG, and that information must reach the fulfilling 503A pharmacy. Protected health information flows from the clinic, through ImpetusRX, to the partner pharmacy. ImpetusRX marketing cites HIPAA-compliant infrastructure, audit trails, and SOC 2 Type II certification, but Ironsail Pharma does not publish a full data inventory, encryption specifications, or a BAA template. This page maps the PHI flow and lists the data-handling questions a clinic should verify before sending patient information.

This page explains where patient data goes in the Ironsail Pharma ordering flow and what to confirm about access, encryption, and partner sharing.

PHI in ordering Clinic to platform to pharmacy Access controls Encryption Partner sharing What to verify

What patient data does an ImpetusRX platform handle?

To place a compounded order, the platform needs the patient identity tied to the medication, the prescriber, and the directions for use — all of which is protected health information. That data is created or entered at the clinic, stored and processed by the ImpetusRX platform, and transmitted to the 503A pharmacy that fills the order. Each hop is a place where PHI must be safeguarded: access should be limited to authorized users, data should be encrypted in transit and at rest, and sharing with fulfilling pharmacies should be governed by appropriate agreements. Ironsail Pharma does not publish these specifics, so a clinic should confirm them in writing before transmitting any patient information.

Data-handling checklist

How to evaluate Ironsail Pharma patient data handling

Each row is a data-handling criterion, what is publicly known about Ironsail Pharma, and what to confirm before sending PHI.

What PHI is collected
What is publicly known Ordering requires patient identity, prescriber, and SIG; Ironsail Pharma does not publish a full data inventory.
What to verify Ask what patient fields are collected and stored and which are required to place an order.
Access controls
What is publicly known Ironsail Pharma does not publish whether patient-data access is restricted by role or organization.
What to verify Ask who can access patient data, whether access is role-based, and how it is logged.
Encryption
What is publicly known Ironsail Pharma does not publish encryption specifications; ImpetusRX marketing cites SOC 2 Type II certification.
What to verify Confirm encryption in transit and at rest, hosting location, and SOC 2 report scope.
Sharing with pharmacies
What is publicly known Orders route to 503A partners that must receive patient information to compound and ship.
What to verify Ask how PHI is transmitted to partners and whether subcontractor agreements govern that sharing.
Retention and deletion
What is publicly known Ironsail Pharma does not publish how long patient data is retained or whether it can be deleted on request.
What to verify Ask about retention periods, deletion on cancellation, and export of patient records.

Sourced from Ironsail Pharma public materials (ironsailpharma.com), reviewed June 2026. Confirm data-handling terms in writing and review with your own counsel.

Negotiate data terms per vendor, or start with scoped access built in?

Ironsail Pharma fits if

Ironsail Pharma

You will request and review data-handling documentation during onboarding.

  • You are prepared to ask how PHI is stored, transmitted, and accessed before sharing it.
  • Your compliance team reviews vendor data terms case by case.
  • Email coordination of data and privacy questions fits your process.
Consider Fizy Health if

Fizy Health

You want PHI access scoped and audited from the first order.

  • You want patient records organization-scoped so only authorized users see PHI.
  • You want patient-linked cart actions audited per line.
  • You want a BAA at onboarding rather than a separate negotiation.
FAQ

What clinics ask about Ironsail Pharma and patient data.

  • Definition

    How does Ironsail Pharma handle patient data?

    Ironsail Pharma handles protected health information because placing a compounded order requires patient identity, a prescriber, and a SIG, which flow from the clinic through the platform to the fulfilling 503A pharmacy. Ironsail Pharma positions itself as HIPAA-compliant but does not publish the specifics, so confirm storage, access, and transmission terms directly.

  • Flow

    Where does patient data go when I place an Ironsail Pharma order?

    Patient details are entered at the clinic, stored and processed by Ironsail Pharma, and transmitted to the 503A partner pharmacy that compounds and ships the order. Each step should safeguard PHI with access controls and encryption.

  • Access

    Who can see patient data on Ironsail Pharma?

    Ironsail Pharma does not publish whether access to patient data is restricted by role or organization. Ask who can access patient records, whether access is role-based, and whether that access is logged.

  • Partners

    Do the pharmacies receive patient information?

    Yes. The 503A partner pharmacies must receive patient information to compound and ship medications. Ask how PHI is transmitted to partners and whether subcontractor agreements govern that sharing.

  • Retention

    How long does Ironsail Pharma keep patient data?

    Ironsail Pharma does not publish its retention or deletion policy. Ask how long patient data is retained, whether it can be deleted on request, and whether you can export patient records if you leave.

  • Alternative

    How does Fizy Health handle patient data?

    Fizy Health keeps patient records organization-scoped so only authorized users see PHI, audits patient-linked cart actions per line, and signs a BAA at onboarding. Access controls are built into the product rather than negotiated separately.

Sources reviewed June 2026

  • Ironsail Pharma public website (ironsailpharma.com, /impetusrx, /for-providers), reviewed June 2026.
  • Data-handling and privacy terms should be confirmed in writing with Ironsail Pharma and reviewed by your own counsel.
  • Fizy Health platform capabilities reflect the live product.
Evaluate with real numbers

Keep patient data scoped from the first order.

Fizy Health organization-scopes patient records, audits actions per line, and signs a BAA at onboarding. Free to start.