NudgeWell AI-Powered
Pricing Enterprise Get Started

HIPAA Compliance Disclosure

Last Updated: June 26, 2026

1. Introduction & Scope

NudgeWell is committed to maintaining the privacy and security of protected health information (PHI) for our enterprise customers who operate in healthcare-adjacent environments. This HIPAA Compliance Disclosure describes our framework for handling PHI, our security safeguards, and how we support our customers' compliance obligations.

Who this applies to: This disclosure is relevant to healthcare organizations, health plans, healthcare clearinghouses, healthcare providers, and any employer who offers group health coverage subject to HIPAA and who uses NudgeWell's enterprise tier services.

Standard SMB tier: At the SMB tier (50–500 employees), NudgeWell does not collect, process, or store PHI. Our standard offering operates with benefits plan data only — no medical records, diagnoses, or individually identifiable health information. Enterprise customers requiring PHI handling can request a Business Associate Agreement (BAA) as described below.

2. What is PHI and EPHI?

PHI (Protected Health Information) includes any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form (electronic, paper, oral).

PHI includes, but is not limited to:

  • Patient names, addresses, phone numbers, email addresses
  • Social Security numbers, medical record numbers, health plan beneficiary numbers
  • Biometric identifiers, including photos or images
  • Diagnosis codes, procedure codes, treatment information
  • Any health information that could identify an individual in connection with healthcare services

EPHI (Electronic Protected Health Information) is PHI that is transmitted by or maintained in electronic media. NudgeWell's systems that handle EPHI (for customers with a signed BAA) are subject to the HIPAA Security Rule's requirements for administrative, physical, and technical safeguards.

3. How We Handle PHI

For enterprise customers who execute a Business Associate Agreement, NudgeWell may receive, process, and transmit the following categories of PHI in connection with benefits engagement services:

PHI Category How We Use It
Health plan enrollment and eligibility data To personalize benefits nudges, remind employees of available coverage, and track engagement with benefits programs
Claims data (anonymized or de-identified) To identify gaps in preventive care, generate ROI analytics, and recommend appropriate benefits utilization
Provider information (NPI numbers, specialties) To match employees with appropriate in-network providers and support the Benefits Coach provider finder
Utilization data (FSA/HSA balances, visit frequency) To generate personalized nudges encouraging appropriate benefits usage and financial wellness

We do not store: Full medical records, diagnosis histories, prescription data, or detailed treatment plans. PHI received from enterprise customers is used solely for the purposes of delivering the NudgeWell engagement service and is not retained beyond the contract term.

4. Business Associate Agreement (BAA) Overview

Under HIPAA, a Business Associate Agreement (BAA) is required when a covered entity discloses PHI to a third-party vendor who performs functions or activities on behalf of the covered entity that involve the use or disclosure of PHI.

NudgeWell offers BAAs to enterprise customers who require PHI handling as part of their benefits engagement program. Our BAA includes:

  • Defined scope: The BAA specifies exactly what PHI NudgeWell receives, how it is used, and the duration of the relationship
  • Permitted uses: NudgeWell uses PHI only for the specific purposes defined in the agreement — delivering benefits engagement services to your workforce
  • Subcontractor requirements: Any NudgeWell subcontractor with access to PHI is bound by equivalent protections in a written subcontract
  • Minimum necessary standard: We access only the minimum PHI necessary to perform our services
  • Termination obligations: Upon contract termination, we return or destroy all PHI within 90 days, with certified destruction of electronic PHI

Request a Business Associate Agreement

To initiate a BAA for your organization or learn more about our enterprise HIPAA compliance program, contact our team.

Request a BAA

5. Security Safeguards

NudgeWell implements administrative, physical, and technical safeguards appropriate to the sensitivity of EPHI in our systems.

Administrative Safeguards

  • Designated privacy and security officers: Named individuals responsible for HIPAA compliance program oversight
  • Workforce training: All employees with access to EPHI complete HIPAA awareness training upon hire and annually
  • Risk assessments: We conduct periodic risk assessments of EPHI handling processes and systems
  • Access management: Role-based access controls limit EPHI access to personnel with a documented need
  • Incident response: Documented procedures for identifying, responding to, and mitigating HIPAA security incidents

Physical Safeguards

  • Data center security: EPHI is hosted in SOC 2 Type II compliant data centers with 24/7 physical security
  • Workstation controls: Company-issued devices running encrypted storage and MDM (Mobile Device Management) software
  • Facility access: Physical access to systems hosting EPHI is restricted to authorized personnel via badge access and visitor logging

Technical Safeguards

  • Encryption in transit: All EPHI transmitted to or from NudgeWell systems is encrypted using TLS 1.2 or higher
  • Encryption at rest: EPHI stored in our database is encrypted using AES-256-GCM
  • Access logging: All access to EPHI systems is logged with user identity, timestamp, and action performed
  • Audit trails: We maintain audit trails for a minimum of 6 years as required by HIPAA
  • Automatic logoff: Systems housing EPHI implement automatic session timeout after period of inactivity
  • Unique user IDs: Each employee with EPHI access has a unique user identifier; shared accounts are prohibited

6. Breach Notification

NudgeWell maintains a breach notification procedure that satisfies the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Our timeline:

  • Discovery to notification: We will notify the affected covered entity within 72 hours of discovering a breach of unsecured PHI
  • Investigation: We conduct a risk assessment to determine whether the breach requires individual notification (threshold: reasonable probability that PHI was compromised)
  • Individual notification: If required, we work with the covered entity to notify affected individuals within 60 days of breach discovery
  • Media notification: For breaches affecting 500 or more individuals in a state or jurisdiction, we assist the covered entity with notifying prominent media outlets within 60 days
  • HHS notification: Breaches affecting 500 or more individuals are reported to the Department of Health and Human Services (HHS) Secretary within 60 days

Breaches affecting fewer than 500 individuals are reported to HHS annually within 60 days of the end of the calendar year in which the breach occurred.

7. Individual Rights

NudgeWell supports the rights of individuals (employees/patients) to access, amend, and request an accounting of their PHI, as required by the HIPAA Privacy Rule (45 CFR § 164.524).

We facilitate these rights in coordination with the covered entity (your organization) who is the primary holder of the PHI and the designated authority for responding to individual access requests:

  • Right of access: Individuals have the right to access their PHI. We redirect requests to the covered entity's designated privacy officer.
  • Right to amend: If an individual believes their PHI is inaccurate, we assist the covered entity in processing amendment requests.
  • Right to an accounting of disclosures: We maintain disclosure logs sufficient to provide an accounting of PHI disclosures for at least 6 years.
  • Right to restrict: We honor any restrictions on PHI use or disclosure agreed upon between the individual and the covered entity.
  • Right to confidentiality: Individuals have the right to request that PHI be sent to a different address or via alternative communication channels; we support these requests as directed by the covered entity.

8. Business Associate Obligations

As a business associate, NudgeWell agrees to the following obligations under HIPAA:

  • Not use or disclose PHI except as permitted by the BAA and the Privacy Rule
  • Safeguard PHI from inappropriate use or disclosure
  • Report breaches of unsecured PHI to the covered entity
  • Ensure subcontractors agree to the same restrictions and conditions
  • Make PHI available for access and amendment
  • Account for disclosures upon request
  • Make internal practices, books, and records available to HHS for compliance audits
  • Return or destroy PHI at the end of the service relationship

Our BAA incorporates these obligations by reference and includes the minimum necessary standard, workforce sanctions, and amendment provisions required by 45 CFR Parts 160 and 164.

9. Enforcement & Penalties

HIPAA is enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Civil penalties for HIPAA violations range from $100 to $50,000 per violation, with a maximum of $1.5 million per violation category per year. Criminal penalties (for knowing or willful violations) can result in fines up to $250,000 per violation and imprisonment up to 10 years.

NudgeWell takes compliance seriously. We maintain a compliance program designed to prevent violations and detect issues early through regular internal audits and risk assessments. Our most recent HIPAA compliance review was conducted in Q1 2026.

10. Contact Information & BAA Requests

For questions about this disclosure, to request a Business Associate Agreement, or to report a potential HIPAA concern:

NudgeWell Compliance Team
Email: hipaa@nudgewell.com
Enterprise inquiries: enterprise@nudgewell.com

If you believe your organization has experienced a HIPAA breach involving NudgeWell systems, please notify us immediately at hipaa@nudgewell.com so we can assist with your breach response process.

See also: Privacy Policy · Terms of Service

© 2026 NudgeWell — AI Benefits Engagement for HR Teams

Pricing · Privacy Policy · HIPAA · Terms of Service ·

Built by Polsia