Innovate healthcare, not compliance.

Collect Protected Health Information (PHI) from users and partners with our HIPAA-compliant infrastructure.

PHI data protection
PHI data protection
Develop with flexibility

Optimize your experience, partnerships, and product flow with the dev stack of your choice while satisfying the requirements for storing and accessing PHI.

Accelerate your launch

Skip the hassle of building your own HIPAA expertise. Launch with best practices and a fully compliant PHI data store in minutes, not months.

Experiment responsibly

Explore new use cases with confidence. Use centralized privacy controls to tailor access and permissions to PHI.

Basis Theory provided clear and efficient APIs that allowed us to implement our PII data management with speed and simplicity

Ernel Murati

Software Engineer @ Parafin

We looked at few vendors for securing our customers' PII. Basis Theory's developer-centric approach stood out. The docs were clean and comprehensive, and the Basis Theory team was super responsive, making our integration a breeze.

Bryce Lohr

Software Engineer @ Modern Life

As a startup, we wanted to move quickly, but as a fintech we needed to securely store critical data. Basis Theory let us get up and running in a compliant way in just a few hours.

Sri Oddiraju

CEO @ Fletch

The best HIPAA-compliant environment you'll never build

Use flexible tools and services to unlock new products, partnerships, and services without exposing your system to PHI data.

Basis Theory data flow diagram
Basis Theory data flow diagram
Basis Theory data flow diagram
Basis Theory data flow diagram
Collect

Use flexible web and mobile form components and customizable API endpoints to collect PHI data on your terms.

Store

Secure PHI data in a safe and independently certified HIPAA-compliant environment.

Share

Send PHI data to partners using whatever method they require. Display the data back to users without it touching your systems.

Frequently Asked Questions

What is HIPAA?

The United States’ Health Insurance Portability and Accountability Act (HIPAA) is one of many global laws meant to protect the privacy and security of people's personal health information. The law applies to certain organizations and individuals, known as "covered entities," who handle protected health information (PHI).

HIPAA requires these covered entities to implement safeguards to protect the confidentiality, integrity, and availability of PHI, as well as ensure that only authorized individuals have access to it. HIPAA also gives individuals the right to access, correct, and request restrictions on using their personal health information.

What is considered Protected Health Information?

Protected Health Information (PHI) is data created, received, used, or disclosed by a covered entity or its business associates in the course of providing healthcare services, payment for healthcare services, or healthcare operations.

PHI can come in through any medium, including electronic, paper, or oral, and it can be held in any type of media, such as on a computer, in a medical record, or on a telephone answering machine.

Examples of PHI include:

  • Patients' names

  • Addresses

  • Phone numbers

  • Email addresses

  • Social Security numbers

  • Medical record numbers

  • Health insurance policy numbers

  • Diagnosis and treatment information

  • Lab test results

  • Prescription information

What’s a covered entity and business associates?

A covered entity is a healthcare provider, healthcare clearinghouse, or health plan required to comply with the HIPAA rules. Business associates that provide services to covered entities must also comply with HIPAA regulations, if they create, receive, maintain, or transmit PHI on behalf of a covered entity. Business associates include third-party billing companies, medical transcription companies, and cloud storage providers.

Some examples of covered entities and business associates include:

  • Hospitals

  • Physicians' offices

  • Prescription delivery services

  • SaaS platforms for dentists

  • Health insurance marketplaces

  • Billing companies

  • Cloud storage providers

Covered entities and business associates must implement appropriate safeguards to protect the confidentiality, integrity, and availability of PHI, and to ensure that only authorized individuals have access to it.‍

How does Basis Theory help me achieve HIPAA compliance?

Basis Theory provides the technical safeguards and access controls needed to protect, enforce, and restrict access to PHI. Organizations that use our infrastructure not only remove PHI from their system but also eliminate the complexities, costs, and distractions that come with building and maintaining their own HIPAA-compliant environment.

Securing PHI isn't enough, however. Organizations must collect, share, process, and govern data to meet business requirements. To help, Basis Theory's suite of services allows you to interact with PHI-like plaintext. Collect, search, share, and analyze PHI without exposing your systems to compliance scope.

How does HIPAA overlap with privacy laws, like GDPR?

HIPAA and the General Data Protection Regulation (GDPR) apply to different types of personal information. Each has different scope and requirements.

HIPAA applies specifically to Protected Health Information (PHI), which is defined as any individually identifiable health information that is created, received, used, or disclosed by a covered entity or its business associates in the course of providing healthcare services, payment for healthcare services, or healthcare operations. PHI requires these covered entities to implement safeguards to protect the confidentiality, integrity, and availability of PHI, and to ensure that only authorized individuals have access to it.

The General Data Protection Regulation (GDPR) applies to personal data of EU citizens, as well as to controllers and processors in the European Union (EU) who handle it. Personal data is any information related to an identified or identifiable natural person. Although GDPR does not set out specific data protection requirements, like HIPAA, it does require organizations to take appropriate technical and organizational measures to protect individual's rights and freedoms in relation to the processing of their personal data.

Safely

accept

collect

manage

share

accept

accept

card data.

Jump out to an early lead. Explore, iterate, and scale regulated products faster than the competition.

Safely

accept

collect

manage

share

accept

share

card data.

Jump out to an early lead. Explore, iterate, and scale regulated products faster than the competition.

Safely

accept

collect

manage

share

accept

collect

card data.

Jump out to an early lead. Explore, iterate, and scale regulated products faster than the competition.