HIPAA & Medical Disclaimer

Information available through MedPass — including profile fields, summaries, and any content shown by the service — is for informational purposes only. It is not medical advice, diagnosis, or treatment, and it is not a substitute for the judgment of a qualified clinician. Always consult your healthcare provider with questions about a medical condition, medication, or treatment.

MedPass does not endorse any specific test, provider, product, procedure, opinion, or other information that may be mentioned through the service.

For clinic customers in the United States that qualify as covered entities under HIPAA, MedPass acts as a business associate with respect to Protected Health Information (PHI) processed on the clinic's behalf. MedPass will sign a Business Associate Agreement (BAA) with eligible clinics on paid plans. Until a BAA is executed, clinics should not upload PHI to MedPass.

Patients using MedPass directly are not covered entities, and the data they choose to enter about themselves is generally not regulated as PHI in their hands — but MedPass still treats it as sensitive personal data and protects it accordingly. See our Privacy Policy for details.

• Encryption in transit (TLS) and at rest.
• Row-level security so a clinic can only see patients who have shared with it.
• Role-based access controls for patients, clinic staff, and admins.
• Audit logging of administrative actions.
• Periodic review of access, dependencies, and configuration.

No system is perfectly secure. MedPass does not guarantee that the service will be uninterrupted, error-free, or invulnerable to unauthorized access.

• Only share your handoff code with clinics you trust and intend to share with.
• Keep your account credentials private; revoke clinic access from settings when needed.
• Review your profile for accuracy — clinicians will rely on what you provide.

• Execute a BAA with MedPass before uploading PHI, where required.
• Access patient data only for legitimate care and administrative purposes.
• Manage staff access promptly — revoke roles when staff leave or change duties.
• Comply with HIPAA, state privacy laws, and any other rules that apply to your practice.

HIPAA is a U.S. law. Clinics and patients outside the United States are responsible for compliance with their local healthcare and privacy regulations (for example, GDPR in the EU, PIPEDA in Canada, or the UK Data Protection Act). MedPass's safeguards are designed to support these regimes but do not, by themselves, constitute compliance.

If you believe your data has been accessed improperly, or you have a security or privacy concern, contact us immediately at info@medpass.app.