shield_person

Trust & Compliance

HIPAA Compliance

How OneForth handles Protected Health Information.

Last updated: May 9, 2026

verified_user

Our Commitment

OneForth treats every piece of patient information that flows through our system as Protected Health Information (PHI) under HIPAA — regardless of whether each specific data point would technically qualify. This is non-negotiable. It is the foundation of our relationship with patients, our strategic media partners, and the wound care providers we serve.

Our Practices

handshake

Business Associate Agreements

We maintain BAAs with our strategic media partners and with every wound care provider we serve. Before any PHI is exchanged, paperwork is signed. No exceptions, no shortcuts.

data_object

What We Collect

Only the minimum necessary information to coordinate care: patient name, contact information, condition (chronic wound), insurance details, and explicit consent to be introduced to a provider. Nothing more.

lock

How We Protect It

Encrypted data in transit and at rest. Role-based access controls limiting who on our team can view patient records. Audit logs of all PHI access. Regular security training for everyone who touches patient data.

check_circle

Patient Consent

Every patient affirmatively consents before their information is shared with a provider. Consent is documented, narrowly scoped, and can be withdrawn at any time without affecting their access to other care.

notifications_active

Breach Notification

In the unlikely event of a breach, we notify affected parties within 60 days as required by the HIPAA Breach Notification Rule. We also notify the Department of Health and Human Services and, where required, the media.

hub

Subcontractors

Any subcontractor with PHI access signs a downstream BAA before they touch a single record. We vet vendors against the same standards we hold ourselves to. No exceptions.

person

Patient Rights

Patients have the right to access, amend, or restrict use of their information. We handle requests within 30 days, and there is no charge for the first request in any 12-month period.

mail

Contact Our Privacy Officer

HIPAA-related questions, access requests, or concerns can be directed to privacy@oneforth.com. Our Privacy Officer reviews every inbound message personally.

Have a HIPAA question before your call?

We'll cover it on the call. No legal jargon, no hand-waving — just a clear explanation of how PHI moves through our system and where your responsibilities begin and end.

Book a Discovery Call arrow_forward