PharmPro

HIPAA Compliance

HIPAA Compliance

PharmPro operates as a Business Associate under HIPAA. This page describes our compliance posture, ePHI touchpoints, safeguards, subprocessors, breach-notification procedures, and how to request a Business Associate Agreement.

Last updated April 9, 2026/Back to sign in

Our HIPAA status

Brechin Advisors LLC d/b/a PharmPro.ai may operate as a Business Associate under HIPAA when processing protected health information on behalf of healthcare facility customers and other regulated healthcare organizations.

This page summarizes PharmPro’s healthcare-data posture. It is informational only and is not a substitute for a Business Associate Agreement, commercial agreement, or legal advice. Customers must execute the appropriate healthcare-data agreement with PharmPro before submitting protected health information to the platform.

ePHI touchpoints

PharmPro includes multiple workflows that may create, receive, maintain, transmit, or display electronic protected health information. The principal workflows include:

  • Incident report forms containing patient or resident names, chart numbers, dates of birth, diagnoses, comorbidities, and narrative descriptions of events.
  • The Lauren AI assistant, which may process incident narratives, statements of fact, investigation findings, uploaded documents, and related context to provide drafting and analysis assistance.
  • PDF incident reports and QAPI summary exports generated for authorized users.
  • File attachments uploaded to incident records, which may contain clinical documentation.
  • Email notifications, which are designed to contain secure portal links only — incident details are not included in email content.
  • Designated email-ingestion workflows and any enabled voice-intake workflow, including transcripts, extracted fields, and recording references where applicable.
  • Audit logs that record user actions on incident records, including the actor, action, and affected record identifiers.

Safeguards

PharmPro maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. Key controls include:

  • Role-based access control with six granular roles (viewer, reporter, editor, supervisor, admin, super admin) enforced at both the application and database layers.
  • Facility-level data isolation enforced by PostgreSQL Row-Level Security policies, ensuring users can only access data from facilities they are assigned to.
  • Encryption in transit and platform-level encryption for core storage systems.
  • Passwordless authentication via magic link, together with session-management controls including a fifteen-minute inactivity timeout in the application experience.
  • Immutable, insert-only audit log that records all incident activity including user identity, action, timestamp, IP address, and user agent.
  • Attachment quarantine system that holds uploaded files in a pending-review state before they can be accessed by other users.
  • Email notifications designed to contain secure portal links only, with no incident details, patient names, or clinical information in email content.
  • AI interaction audit logging that records all Lauren assistant usage for traceability.
  • Monitoring and redaction controls designed to reduce unnecessary transmission of sensitive content to telemetry services.

Subprocessors

PharmPro uses service providers that may process regulated data in connection with the Service. Current core providers include:

  • Supabase — Database hosting, authentication, and encrypted file storage.
  • Vercel — Application hosting, server-side compute, and edge delivery.
  • Azure AI Foundry-hosted Anthropic Claude models — AI processing infrastructure for Lauren and related AI-assisted workflows.
  • Resend — Transactional email delivery.
  • Sentry — Error monitoring, performance telemetry, and masked replay capabilities.
  • PostHog — Product analytics and usage measurement.
  • Bland AI — Voice-intake workflow provider, if voice intake is enabled.
  • Stripe — Payment processing and subscription management.

Customer responsibilities

  • Execute a Business Associate Agreement with PharmPro before submitting any PHI to the platform.
  • Submit only data your organization is authorized to process through PharmPro.
  • Configure users, roles, and facility access assignments in accordance with your minimum-necessary and workforce-access policies.
  • Complete HIPAA workforce training for all users who will access PharmPro.
  • Review AI-generated outputs, risk analyses, and exported materials before use, sharing, filing, or reliance.
  • Maintain your own breach-notification and incident-response procedures. PharmPro will notify you of security incidents as required by the BAA, but your organization retains responsibility for downstream notifications to individuals and regulators.
  • Do not submit PHI through the public marketing website, demo-request forms, or any channel not designated for protected health information.

Breach notification

PharmPro maintains breach-notification and incident-response procedures intended to align with applicable healthcare-data obligations, including HIPAA and HITECH where those frameworks apply. In the event of a confirmed breach of unsecured protected health information, PharmPro will notify the affected customer organization as required by the applicable BAA and law.

Our breach-response process includes initial detection and assessment, containment, risk-of-harm analysis using the four-factor test specified in 45 CFR 164.402, notification to affected customers, and documentation of the incident and response.

Data retention and destruction

ePHI and related records are retained for a minimum of six years from the date of creation or last modification, consistent with HIPAA record-retention requirements under 45 CFR 164.530(j).

Upon termination of the customer relationship, PharmPro will return or destroy ePHI as specified in the BAA, subject to legally required retention periods. Audit logs subject to regulatory retention requirements are maintained for the minimum required period and are not subject to early deletion.

Customers may request data export during the term of the agreement and for a reasonable period following termination.

Requesting a BAA

To request a Business Associate Agreement or discuss HIPAA-related contracting, contact us at privacy@pharmpro.ai.

Security questions or vulnerability reports can be sent to security@pharmpro.ai.

General inquiries: support@pharmpro.ai