Fizy health
Fizy Health HIPAA

HIPAA-aligned pharmacy ops — not generic SaaS defaults

Fizy Health is built HIPAA-aligned for covered entities that use the platform to order compounded medications. Clinics sign a Business Associate Agreement before production PHI is stored. The platform implements minimum-necessary access, tenant isolation, audit trails on patient-linked cart and order activity, encrypted transport, and engineering standards that keep PHI out of routine logs — mapped to expectations in the HIPAA Security Rule.

Searching Fizy Health HIPAA or HIPAA compliant Fizy Health should land on specifics: BAA timing, audit behavior, and where the canonical Security documentation lives.

Start Ordering Free BAA at onboarding Security page
BAA at onboarding Security Rule alignment Audit controls Tenant-scoped access PHI-safe logging Breach commitments in contract
HIPAA posture

How Fizy Health maps to HIPAA expectations

HIPAA compliance is a shared responsibility between covered clinics and their business associates. Fizy Health documents platform-side safeguards on the Security page and in the BAA so clinic compliance leads can place ordering workflows on infrastructure designed for PHI — not retrofit it later.

  • BAA

    Business Associate Agreement before production PHI

    Every clinic organization executes a BAA during onboarding before live patient records are stored in production. The agreement covers permitted uses, safeguards, subprocessors, and breach-notification commitments aligned to HIPAA expectations for business associates.

  • Access

    Minimum necessary by organization and clinic

    Postgres row-level security and role-based access scope patient, cart, and order data to assigned clinics. Prescriber workflows carry NPI, DEA, and role gates where required. Staff cannot browse unrelated tenant data even within a multi-location group.

  • Audit

    Access review support on patient-linked activity

    Cart reads and mutations that include patient identifiers write audit records with actor, organization, patient, and action. Domain-level PHI access records support HIPAA access review. Audit details use identifiers — not prescription contents or demographics.

  • Safeguards

    Technical controls beyond checkbox marketing

    TLS in transit, encrypted storage for designated high-sensitivity fields, rate limits on auth and webhook surfaces, and webhook signature verification before side effects. Operational policies align to SOC 2 Type II control frameworks — described as implemented, not certification claims.

HIPAA diligence starts on the Security page and continues in your BAA

HIPAA-aligned platform BAA before go-live Per-line PHI audit Row-level isolation No PHI in routine logs NDA security docs on request

Is Fizy Health HIPAA alignment right for your clinic?

Built for you if

You are a covered entity ordering medications tied to patient records.

  • Your compliance lead needs a BAA and documented safeguards before production ordering volume.
  • You must explain who accessed patient-linked orders during an access review or patient inquiry.
  • You want pharmacy ops software that treats PHI handling as a design requirement, not an add-on.
May not be ideal if

Your HIPAA needs fall outside B2B clinic ordering on Fizy Health.

  • You only need marketing-site analytics with no PHI — the BAA applies when production patient data is stored.
  • You require a specific third-party HITRUST or SOC 2 Type II report today — request documentation under NDA.
  • You are a patient seeking direct access — direct PHI requests generally flow through your clinic as covered entity.
HIPAA in workflow

Where PHI touches the platform day to day

Patient-linked cart and order flows are the primary PHI surfaces on Fizy Health. These capabilities run on audited, tenant-scoped infrastructure.

Explore all platform capabilities
Learn more

Related HIPAA and compliance guides.

See the full Fizy Health guide
FAQ

HIPAA questions clinics ask about Fizy Health.

  • Status

    Is Fizy Health HIPAA compliant?

    Fizy Health is built as a HIPAA-aligned platform for covered entities. Clinics sign a BAA before production PHI is stored. Patient-linked cart and order actions are audited, access is scoped by organization and clinic, and engineering standards prohibit PHI in routine logs. See the Security page for control detail.

  • BAA

    When does Fizy Health sign a BAA?

    The Business Associate Agreement is executed during onboarding before your organization stores live patient data in production. Multi-location groups operate under one org with clinic-scoped staff access.

  • Audit

    What HIPAA audit controls does Fizy Health provide?

    Patient-linked reads and writes in cart, checkout, and order flows record actor, organization, patient, and action. That supports HIPAA Security Rule access review expectations without exposing chart contents in logs.

  • Patients

    Can patients request HIPAA access through Fizy Health?

    Patients should generally direct PHI access, correction, or deletion requests through their clinic as the covered entity. Fizy Health assists clinic customers per the BAA when requests involve platform-held records.

  • Subprocessors

    Who are Fizy Health subprocessors?

    Subprocessors include infrastructure, payment, and fulfillment partners needed to operate the platform. BAA and Privacy Policy describe sharing limited to operating the service, complying with law, or at your direction — such as routing orders to pharmacy partners.

Place HIPAA-aligned ordering on your formulary.

Review the Security page, sign your BAA during onboarding, and run daily pharmacy ops on infrastructure built for covered entities.

Start Ordering Free BAA at onboarding Security and compliance