This document is a template and should be reviewed by legal counsel before relying on it.
HIPAA Notice of Privacy Practices
Last updated: July 6, 2026
Sapyyn is designed to support healthcare providers and practices in managing patient referrals that involve protected health information (PHI). This notice describes Sapyyn's role under HIPAA, the safeguards in place, and how PHI is handled within the platform.
1. Our Role as a Business Associate
When a healthcare provider or practice (a "Covered Entity") uses Sapyyn to manage patient referrals, Sapyyn generally acts as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA). We create, receive, maintain, and transmit PHI on behalf of Covered Entities solely to provide the referral management service, and we handle that PHI in accordance with HIPAA's Privacy, Security, and Breach Notification Rules and the terms of the applicable Business Associate Agreement (BAA).
2. Business Associate Agreements
Covered Entities are required to execute a BAA with Sapyyn before submitting PHI through the platform. The BAA sets out the permitted uses and disclosures of PHI, required safeguards, and each party's obligations regarding breach notification, subcontractors, and termination. A BAA is available upon request; please contact your Sapyyn administrator or account representative to obtain one before using the platform for PHI.
3. How PHI Is Handled in Referrals
Referral records may include patient identifiers, clinical reason for referral, treatment notes, insurance details, and supporting documents. Access to this information is limited to the referring provider, the receiving provider, and authorized administrators with a legitimate need to complete the referral. Outbound notifications (such as email or SMS alerts) are designed to be minimum-necessary and avoid including sensitive clinical detail; they typically direct the recipient back into the secure platform to view full referral information rather than transmitting PHI directly in the message body.
Access Controls
Access to referrals and PHI is scoped by authenticated identity and role. Users see only the referrals they own, referrals assigned to them as the exact receiving provider, or referrals they are authorized to administer. Role-based permissions govern what each account type (patient, provider, practice admin, system admin) may view or modify.
Audit Logging
Sapyyn maintains audit logs that record referral creation, status changes, document uploads, and access to sensitive records. These logs support accountability, incident investigation, and compliance review, and are retained in accordance with our data retention practices.
Encryption and Technical Safeguards
Data is encrypted in transit using TLS/HTTPS and encrypted at rest on our hosting infrastructure. Production deployments require secure session cookies, a properly configured secret key, protected file storage for uploaded documents, and regular backups.
Minimum Necessary
We apply a minimum-necessary approach to PHI: features are designed to display and transmit only the information required to complete a given workflow, and external notifications are limited to avoid unnecessary exposure of clinical detail.
Breach Notification
If we discover a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and in accordance with the timelines and requirements of the HIPAA Breach Notification Rule and the applicable BAA, so that Covered Entities can meet their own notification obligations to patients and regulators.
Subcontractors
Where Sapyyn engages subcontractors that may handle PHI (such as hosting or messaging providers), we require those subcontractors to agree to protections at least as restrictive as those imposed on Sapyyn under our BAAs with Covered Entities.
4. Shared Responsibility
HIPAA compliance is a shared responsibility. Sapyyn provides the technical safeguards, access controls, and audit capabilities described above, but Covered Entities and their workforce remain responsible for their own policies, workforce training, device security, and appropriate use of the platform. Legal compliance depends on the combination of Sapyyn's safeguards, a signed BAA, and each organization's own HIPAA compliance program.
5. Contact Us
To request a BAA, report a suspected security incident, or ask questions about how PHI is handled in Sapyyn, contact your Sapyyn administrator or reach out through the contact information provided on our Contact page.