Legal

Privacy Policy

Medrelay is built for regulated healthcare environments. This policy explains what we collect, why we collect it, and the controls available to your organization.

Policy Dates

Effective Date: May 6, 2026

Last Updated: May 6, 2026

1. Introduction

Medrelay ("we," "our," or "the Platform") is committed to protecting the privacy and security of healthcare data. This Privacy Policy describes how we collect, use, disclose, and safeguard information in compliance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA). Medrelay provides secure communication and workflow solutions for healthcare organizations.

2. HIPAA role and applicability

Medrelay acts as a Business Associate when providing services to healthcare providers, payers, and other Covered Entities as defined under HIPAA. We enter into Business Associate Agreements (BAAs) with our customers where required and handle Protected Health Information (PHI) in accordance with HIPAA requirements.

3. Information we collect

3.1 Protected Health Information (PHI)

  • Communication metadata (for example, timestamps and call routing data)
  • Limited patient-related operational data necessary for care coordination

Medrelay is designed to minimize PHI exposure and does not intentionally store full clinical records unless explicitly required by the customer's configuration.

3.2 Non-PHI Information

  • User account information (name, email, role)
  • Device and log information
  • Usage analytics (non-identifiable)

4. Permitted uses and disclosures of PHI

We use and disclose PHI strictly as permitted under HIPAA and our agreements with Covered Entities, including:

  • Treatment: facilitating communication between care teams
  • Payment: supporting billing-related workflows (if applicable)
  • Healthcare Operations: system administration and quality improvement

We do not use PHI for marketing or unauthorized purposes.

5. Minimum necessary standard

Medrelay follows the HIPAA Minimum Necessary Rule, ensuring that only the least amount of PHI required to perform a function is accessed, used, or disclosed.

6. Data security safeguards

We implement administrative, technical, and physical safeguards in accordance with HIPAA Security Rule requirements.

6.1 Administrative safeguards

  • Workforce training on data protection
  • Risk assessments and security reviews
  • Role-based access policies

6.2 Technical safeguards

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest (for example, AES-256)
  • Unique user authentication and access controls
  • Audit logging and monitoring

6.3 Physical safeguards

  • Secure cloud infrastructure (for example, access-controlled data centers)
  • Vendor security compliance requirements

7. Data retention and disposal

We retain data only as long as necessary to fulfill contractual and legal obligations.

  • Communication logs and metadata: retained per customer agreement or regulatory requirements
  • Secure deletion is performed using industry-standard methods

8. Breach notification

In the event of a breach involving PHI:

  • We will notify affected Covered Entities without unreasonable delay and no later than 60 days from discovery
  • We will provide details required under HIPAA, including the nature of the breach and mitigation steps
  • We will cooperate fully with customers in regulatory reporting obligations

9. Patient rights (handled via Covered Entities)

As a Business Associate, Medrelay supports Covered Entities in fulfilling patient rights under HIPAA, including:

  • Right to access PHI
  • Right to request amendment
  • Right to request restrictions
  • Right to an accounting of disclosures

Patients should contact their healthcare provider directly to exercise these rights.

10. Third-party service providers

We may engage trusted third-party vendors (subprocessors) to support our services, including cloud hosting providers and communication infrastructure providers.

All vendors are contractually required to maintain confidentiality, implement appropriate safeguards, and comply with HIPAA where applicable.

11. International data transfers

If data is processed outside the United States, we ensure appropriate safeguards are in place consistent with applicable laws and HIPAA requirements.

12. Changes to this policy

We may update this Privacy Policy periodically. Updates will be posted on our website with a revised effective date.

13. Contact information

For privacy-related inquiries or concerns, please contact:

Privacy Officer
Medrelay
Email: [Insert Email]
Address: [Insert Address]

14. Compliance statement

Medrelay is committed to maintaining compliance with:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule
  • HITECH Act (where applicable)