Legal

HIPAA Compliance

Last updated: May 18, 2026

On this page

  1. Our commitment
  2. What HIPAA is
  3. Business Associate Agreement
  4. PHI handling
  5. Safeguards
  6. Breach notification
  7. Audit & accountability
  8. Shared responsibility
  9. Contact us

1. Our commitment

Allmire is built for businesses that handle Protected Health Information (PHI), including pharmacies, delivery couriers, and other healthcare-adjacent operations. We treat HIPAA compliance as a baseline expectation — not a feature you have to pay extra for.

2. What HIPAA is

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards for protecting sensitive patient health information. It includes the Privacy Rule, Security Rule, and Breach Notification Rule, among others. Allmire acts as a Business Associate to its covered-entity customers under HIPAA.

3. Business Associate Agreement (BAA)

Allmire executes a Business Associate Agreement with every customer that processes PHI through our platform. The BAA sets the contractual obligations and safeguards required for the lawful handling of PHI. Contact compliance@allmire.com to request a BAA.

4. PHI handling

  • PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access to PHI is gated by role-based access controls (RBAC) and just-in-time elevation.
  • Every PHI access, modification, and transmission is logged with a tamper-evident audit trail.
  • PHI is segregated from non-PHI workloads and never used for marketing.

5. Safeguards

Administrative

  • Documented security and privacy policies, reviewed annually
  • Workforce training on HIPAA, secure development, and incident response
  • Background checks for personnel with access to production

Physical

  • Data centers with SOC 2 / ISO 27001 certified physical security
  • Restricted access to production hardware and media handling

Technical

  • Encryption in transit and at rest, MFA on privileged accounts
  • Network segmentation, intrusion detection, and continuous vulnerability scanning
  • Automated patch management and immutable infrastructure where possible

6. Breach notification

In the unlikely event of a breach involving PHI, Allmire will notify affected customers in accordance with HIPAA's Breach Notification Rule and the terms of the applicable BAA. We maintain a 24/7 security incident response capability.

7. Audit & accountability

Allmire performs regular internal audits and engages independent third parties to assess our controls. Customers can request a copy of our most recent compliance report by emailing compliance@allmire.com under NDA.

8. Shared responsibility

HIPAA compliance is a shared responsibility. Allmire provides a compliant platform; customers are responsible for configuring user access, training their workforce, and ensuring their use of the platform aligns with their own HIPAA obligations.

9. Contact us

Compliance questions or BAA requests: compliance@allmire.com.