Innovate healthcare, not compliance.
Collect Protected Health Information (PHI) from users and partners with our HIPAA-compliant infrastructure.
Develop with flexibility
Optimize your experience, partnerships, and product flow with the dev stack of your choice while satisfying the requirements for storing and accessing PHI.
Accelerate your launch
Skip the hassle of building your own HIPAA expertise. Launch with best practices and a fully compliant PHI data store in minutes, not months.
Experiment responsibly
Explore new use cases with confidence. Use centralized privacy controls to tailor access and permissions to PHI.
Basis Theory provided clear and efficient APIs that allowed us to implement our PII data management with speed and simplicity
”
Ernel Murati
Software Engineer @ Parafin
We looked at few vendors for securing our customers' PII. Basis Theory's developer-centric approach stood out. The docs were clean and comprehensive, and the Basis Theory team was super responsive, making our integration a breeze.
”
Bryce Lohr
Software Engineer @ Modern Life
As a startup, we wanted to move quickly, but as a fintech we needed to securely store critical data. Basis Theory let us get up and running in a compliant way in just a few hours.
”
Sri Oddiraju
CEO @ Fletch
The best HIPAA-compliant environment you'll never build
Use flexible tools and services to unlock new products, partnerships, and services without exposing your system to PHI data.
Collect
Use flexible web and mobile form components and customizable API endpoints to collect PHI data on your terms.
Store
Secure PHI data in a safe and independently certified HIPAA-compliant environment.
Share
Send PHI data to partners using whatever method they require. Display the data back to users without it touching your systems.
Frequently Asked Questions
What is HIPAA?
The United States’ Health Insurance Portability and Accountability Act (HIPAA) is one of many global laws meant to protect the privacy and security of people's personal health information. The law applies to certain organizations and individuals, known as "covered entities," who handle protected health information (PHI).
HIPAA requires these covered entities to implement safeguards to protect the confidentiality, integrity, and availability of PHI, as well as ensure that only authorized individuals have access to it. HIPAA also gives individuals the right to access, correct, and request restrictions on using their personal health information.
What is considered Protected Health Information?
Protected Health Information (PHI) is data created, received, used, or disclosed by a covered entity or its business associates in the course of providing healthcare services, payment for healthcare services, or healthcare operations.
PHI can come in through any medium, including electronic, paper, or oral, and it can be held in any type of media, such as on a computer, in a medical record, or on a telephone answering machine.
Examples of PHI include:
Patients' names
Addresses
Phone numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance policy numbers
Diagnosis and treatment information
Lab test results
Prescription information
What’s a covered entity and business associates?
A covered entity is a healthcare provider, healthcare clearinghouse, or health plan required to comply with the HIPAA rules. Business associates that provide services to covered entities must also comply with HIPAA regulations, if they create, receive, maintain, or transmit PHI on behalf of a covered entity. Business associates include third-party billing companies, medical transcription companies, and cloud storage providers.
Some examples of covered entities and business associates include:
Hospitals
Physicians' offices
Prescription delivery services
SaaS platforms for dentists
Health insurance marketplaces
Billing companies
Cloud storage providers
Covered entities and business associates must implement appropriate safeguards to protect the confidentiality, integrity, and availability of PHI, and to ensure that only authorized individuals have access to it.
How does Basis Theory help me achieve HIPAA compliance?
Basis Theory provides the technical safeguards and access controls needed to protect, enforce, and restrict access to PHI. Organizations that use our infrastructure not only remove PHI from their system but also eliminate the complexities, costs, and distractions that come with building and maintaining their own HIPAA-compliant environment.
Securing PHI isn't enough, however. Organizations must collect, share, process, and govern data to meet business requirements. To help, Basis Theory's suite of services allows you to interact with PHI-like plaintext. Collect, search, share, and analyze PHI without exposing your systems to compliance scope.
How does HIPAA overlap with privacy laws, like GDPR?
HIPAA and the General Data Protection Regulation (GDPR) apply to different types of personal information. Each has different scope and requirements.
HIPAA applies specifically to Protected Health Information (PHI), which is defined as any individually identifiable health information that is created, received, used, or disclosed by a covered entity or its business associates in the course of providing healthcare services, payment for healthcare services, or healthcare operations. PHI requires these covered entities to implement safeguards to protect the confidentiality, integrity, and availability of PHI, and to ensure that only authorized individuals have access to it.
The General Data Protection Regulation (GDPR) applies to personal data of EU citizens, as well as to controllers and processors in the European Union (EU) who handle it. Personal data is any information related to an identified or identifiable natural person. Although GDPR does not set out specific data protection requirements, like HIPAA, it does require organizations to take appropriate technical and organizational measures to protect individual's rights and freedoms in relation to the processing of their personal data.
