ClariMed - AI-Powered Clinical Decision Support

Business Associate Agreement (BAA)

ClariMed offers a HIPAA-compliant Business Associate Agreement (BAA) to all healthcare organizations using our platform. Our BAA ensures that we meet all requirements under the Health Insurance Portability and Accountability Act (HIPAA) when handling Protected Health Information (PHI).

How to request a BAA:

Email us at contact@getclarimed.com
Include your organization name and contact information
We'll send you a signed BAA within 2 business days

HIPAA Compliance

ClariMed is committed to full HIPAA compliance and implements comprehensive safeguards to protect PHI:

Administrative Safeguards

HIPAA training for all staff
Risk assessments and audits
Security incident procedures
Access controls and authentication

Technical Safeguards

End-to-end encryption (TLS 1.3)
Encrypted data at rest (AES-256)
Multi-factor authentication (MFA)
Automatic session timeouts

Physical Safeguards

SOC 2 Type II certified data centers
ISO 27001 certified infrastructure
24/7 physical security monitoring
Disaster recovery procedures

Privacy Safeguards

Minimum necessary access principle
Audit logging of all PHI access
De-identification procedures
Data retention policies

Data Security Measures

We implement industry-leading security practices to protect your data:

Infrastructure Security

Supabase Cloud (EU Region): All data stored in Frankfurt, Germany with GDPR compliance
Vercel Edge Network: Application hosted on Vercel with automatic DDoS protection
policies.security.infra.encryption
Row Level Security (RLS): Database-level access control ensuring users only see their own data
Regular Backups: Automated daily backups with 30-day retention and point-in-time recovery

Application Security

Authentication: JWT-based authentication with secure session management
Authorization: Role-based access control (RBAC) with least privilege principle
Input Validation: Zod schema validation on all user inputs to prevent injection attacks
API Security: Type-safe tRPC API with rate limiting and request validation
Security Headers: CSP, HSTS, X-Frame-Options, and other security headers configured

Protected Health Information (PHI) Handling

ClariMed is designed to minimize PHI collection and implements strict controls for any PHI processed:

✓ What ClariMed Does NOT Collect:

ClariMed does not require or store patient names, medical record numbers, social security numbers, or direct patient identifiers. Our platform focuses on providing clinical decision support without needing access to individual patient data.

ℹ What ClariMed May Process:

Physician queries may contain de-identified clinical scenarios (e.g., "62-year-old with hypertension"). All queries are encrypted, logged only for quality improvement, and never shared with third parties.

⚠ Important for Users:

Do not enter patient-identifying information in queries. Use de-identified clinical scenarios only (e.g., age, gender, conditions) without names, MRNs, or other direct identifiers.

Breach Notification Procedures

In the unlikely event of a security incident affecting PHI:

policies.breach.step1
policies.breach.step2
policies.breach.step3
policies.breach.step4
policies.breach.step5

policies.breach.contact.title

policies.breach.contact.email: contact@getclarimed.com
policies.breach.contact.phone: +49 (0)176 23947268

Subcontractors & Third-Party Services

ClariMed carefully vets all subcontractors handling PHI. All have signed BAAs and maintain HIPAA compliance:

Service	Provider	Purpose	policies.subcontractors.table.status
Database	Supabase	policies.subcontractors.databasePurpose	✓ BAA Signed
Hosting	Vercel	policies.subcontractors.hostingPurpose	✓ BAA Signed
AI/ML	OpenAI	policies.subcontractors.aiPurpose	✓ BAA Signed
Monitoring	Sentry	policies.subcontractors.monitoringPurpose	Not Required

Contact Us

For questions about our security practices, HIPAA compliance, or to request a BAA:

Compliance Officer

Email:: contact@getclarimed.com
Phone:: +49 (0)176 23947268

Security Team