Skip to content

HIPAA Compliance

Last updated: February 2026

Zerapy is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act. This page describes the safeguards we implement to protect participant health information processed through the Zerapy platform.

Our Commitment

Zerapy operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities (healthcare providers and organizations). We maintain comprehensive administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all PHI we process.

Technical Safeguards

  • Encryption at Rest. All PHI is encrypted at rest using AES-256 encryption in Google Cloud Platform.
  • Encryption in Transit. All data transmitted between clients and our servers is encrypted via TLS 1.2 or higher.
  • Access Controls. Role-based access controls (RBAC) ensure that only authorized personnel and systems can access PHI. Multi-factor authentication is required for all administrative access.
  • Audit Logging. All access to PHI is logged with immutable audit trails, including user identity, timestamp, action performed, and data accessed.
  • Automatic Session Management. Sessions are automatically terminated after periods of inactivity.
  • Unique User Identification. Every user is assigned a unique identifier to track activity within the system.

Administrative Safeguards

  • Security Officer. Zerapy maintains a designated Security Officer responsible for the development and implementation of our security policies and procedures.
  • Workforce Training. All employees with access to PHI receive HIPAA training upon hire and annually thereafter.
  • Security Policies. Comprehensive information security policies govern all aspects of PHI handling, including access, storage, transmission, and disposal.
  • Incident Response. We maintain a documented incident response plan for investigating and responding to potential security incidents or breaches.
  • Risk Assessments. Regular risk assessments are conducted to identify and mitigate potential threats to PHI.
  • Business Associate Agreements. We execute BAAs with all subcontractors and vendors that may access PHI on our behalf.

Physical Safeguards

  • Cloud Infrastructure. Zerapy is hosted on Google Cloud Platform, which maintains HIPAA compliance and enterprise-grade security certifications for its infrastructure services.
  • Data Center Security. Our cloud provider maintains physical access controls, environmental controls, and surveillance at all data center facilities.
  • Workstation Security. All employee workstations with access to PHI are encrypted and secured with endpoint protection.

Breach Notification

In the event of a breach of unsecured PHI, Zerapy will notify affected Covered Entities without unreasonable delay and in no case later than 60 days following discovery of the breach, in accordance with the HITECH Act breach notification requirements.

Business Associate Agreements

A Business Associate Agreement (BAA) is included with all Enterprise plans. If you require a BAA for your organization, please visit our BAA Request page or contact us directly.

Contact Us

For questions about our HIPAA compliance practices or to report a potential security concern, please contact us:

support@zerapy.ai
Zerapy
11160-C1 South Lakes Dr
Reston, VA 20191
United States