NudgeWell is committed to maintaining the privacy and security of protected health information (PHI) for our enterprise customers who operate in healthcare-adjacent environments. This HIPAA Compliance Disclosure describes our framework for handling PHI, our security safeguards, and how we support our customers' compliance obligations.
Who this applies to: This disclosure is relevant to healthcare organizations, health plans, healthcare clearinghouses, healthcare providers, and any employer who offers group health coverage subject to HIPAA and who uses NudgeWell's enterprise tier services.
Standard SMB tier: At the SMB tier (50–500 employees), NudgeWell does not collect, process, or store PHI. Our standard offering operates with benefits plan data only — no medical records, diagnoses, or individually identifiable health information. Enterprise customers requiring PHI handling can request a Business Associate Agreement (BAA) as described below.
PHI (Protected Health Information) includes any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form (electronic, paper, oral).
PHI includes, but is not limited to:
EPHI (Electronic Protected Health Information) is PHI that is transmitted by or maintained in electronic media. NudgeWell's systems that handle EPHI (for customers with a signed BAA) are subject to the HIPAA Security Rule's requirements for administrative, physical, and technical safeguards.
For enterprise customers who execute a Business Associate Agreement, NudgeWell may receive, process, and transmit the following categories of PHI in connection with benefits engagement services:
| PHI Category | How We Use It |
|---|---|
| Health plan enrollment and eligibility data | To personalize benefits nudges, remind employees of available coverage, and track engagement with benefits programs |
| Claims data (anonymized or de-identified) | To identify gaps in preventive care, generate ROI analytics, and recommend appropriate benefits utilization |
| Provider information (NPI numbers, specialties) | To match employees with appropriate in-network providers and support the Benefits Coach provider finder |
| Utilization data (FSA/HSA balances, visit frequency) | To generate personalized nudges encouraging appropriate benefits usage and financial wellness |
We do not store: Full medical records, diagnosis histories, prescription data, or detailed treatment plans. PHI received from enterprise customers is used solely for the purposes of delivering the NudgeWell engagement service and is not retained beyond the contract term.
Under HIPAA, a Business Associate Agreement (BAA) is required when a covered entity discloses PHI to a third-party vendor who performs functions or activities on behalf of the covered entity that involve the use or disclosure of PHI.
NudgeWell offers BAAs to enterprise customers who require PHI handling as part of their benefits engagement program. Our BAA includes:
To initiate a BAA for your organization or learn more about our enterprise HIPAA compliance program, contact our team.
Request a BAANudgeWell implements administrative, physical, and technical safeguards appropriate to the sensitivity of EPHI in our systems.
NudgeWell maintains a breach notification procedure that satisfies the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
Our timeline:
Breaches affecting fewer than 500 individuals are reported to HHS annually within 60 days of the end of the calendar year in which the breach occurred.
NudgeWell supports the rights of individuals (employees/patients) to access, amend, and request an accounting of their PHI, as required by the HIPAA Privacy Rule (45 CFR § 164.524).
We facilitate these rights in coordination with the covered entity (your organization) who is the primary holder of the PHI and the designated authority for responding to individual access requests:
As a business associate, NudgeWell agrees to the following obligations under HIPAA:
Our BAA incorporates these obligations by reference and includes the minimum necessary standard, workforce sanctions, and amendment provisions required by 45 CFR Parts 160 and 164.
HIPAA is enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Civil penalties for HIPAA violations range from $100 to $50,000 per violation, with a maximum of $1.5 million per violation category per year. Criminal penalties (for knowing or willful violations) can result in fines up to $250,000 per violation and imprisonment up to 10 years.
NudgeWell takes compliance seriously. We maintain a compliance program designed to prevent violations and detect issues early through regular internal audits and risk assessments. Our most recent HIPAA compliance review was conducted in Q1 2026.
For questions about this disclosure, to request a Business Associate Agreement, or to report a potential HIPAA concern:
NudgeWell Compliance Team
Email: hipaa@nudgewell.com
Enterprise inquiries: enterprise@nudgewell.com
If you believe your organization has experienced a HIPAA breach involving NudgeWell systems, please notify us immediately at hipaa@nudgewell.com so we can assist with your breach response process.
See also: Privacy Policy · Terms of Service