Legal & Compliance
💊 RxSnap — HIPAA Compliance
Last updated: April 1, 2026
✓ HIPAA-Aligned Architecture ✓ BAA Available 🔒 TLS 1.2+ Encrypted

🏥 Our Commitment to HIPAA

RxSnap is designed from the ground up with HIPAA Privacy Rule and Security Rule principles in mind. We are committed to protecting Protected Health Information (PHI) and to supporting our healthcare partners in meeting their own compliance obligations.

This page describes the technical and administrative safeguards we have implemented, our data handling practices, and how covered entities and business associates can engage with us under a Business Associate Agreement (BAA).

RxSnap is willing to enter into BAAs with covered entities and business associates. Contact hipaa@rxsnap.app to begin the process.

📋 What Data We Handle

RxSnap handles a minimal and well-defined set of health-related data. We apply data minimization principles throughout and do not collect direct patient identifiers.

  • Medicine images — uploaded by the user, processed in real-time via encrypted API calls to Anthropic Claude. Images are held in memory only and are never written to disk or any permanent storage.
  • Health conditions — optionally declared by the user (e.g. high blood pressure, diabetes). Stored only in the application's local session database alongside scan history. Never linked to a real identity.
  • Medicine names and timestamps — stored in scan history to power the Medicine Cabinet, reminders, and dashboard features. No patient names, Social Security Numbers, insurance IDs, dates of birth, or other direct identifiers are ever collected.
  • API usage logs — for B2B partners, logs contain only the API key identifier, endpoint called, medicine name, and timestamp. No patient data appears in these logs.
ℹ️
RxSnap does not collect, store, or transmit patient names, SSNs, insurance IDs, dates of birth, addresses, phone numbers, or any other HIPAA-defined direct identifiers.

🔒 Technical Safeguards

We implement the following technical controls in alignment with the HIPAA Security Rule's Technical Safeguard standards (45 CFR § 164.312):

🔐
Encryption in Transit
All data transmitted between the client, our servers, and third-party APIs uses TLS 1.2 or higher. No plaintext HTTP connections are permitted in production.
🧠
In-Memory Image Processing
Medicine images are processed entirely in server memory using multer's memoryStorage. They are never written to disk, temporary files, or object storage.
🗄️
Restricted Database Access
The SQLite database is accessible only through the application layer. No direct external connections to the database are possible.
🔑
API Key Controls
B2B API keys can be rotated or permanently revoked instantly via the admin dashboard. Each key carries a monthly usage cap to limit blast radius in the event of compromise.
🛡️
Admin Authentication
The admin dashboard requires a secret key passed as a request header. Session state is not persisted to cookies or external stores.
📊
Minimal Data Retention
Scan history is stored per-profile only. Users can delete individual scans or entire profiles — and all associated data — at any time from the Medicine Cabinet.

📁 Administrative Safeguards

In alignment with HIPAA Security Rule Administrative Safeguard standards (45 CFR § 164.308), we maintain the following policies:

  • Access controls — Access to the admin dashboard requires authentication via a secret key. B2B API partners receive scoped, revocable keys with no access to other partners' data.
  • Partner agreements — B2B API partners are required to agree to our data processing terms prior to receiving API credentials. A BAA is available for covered entities upon request.
  • Log retention — API usage logs are retained for a maximum of 90 days, after which they are purged. Scan history is retained indefinitely until the user deletes it.
  • Employee access — Access to production infrastructure is limited to authorized personnel only, following the principle of least privilege.
  • Security review — We conduct periodic reviews of our access controls, data flows, and third-party sub-processor agreements.

📝 Business Associate Agreements (BAA)

Under HIPAA, a Business Associate Agreement (BAA) is required when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity. If your platform qualifies as a covered entity or works with one, we are prepared to enter into a BAA.

Request a BAA

RxSnap is willing to enter into BAAs with covered entities and business associates. Our BAA template is available upon request and covers the obligations defined in 45 CFR § 164.504(e). We typically turn around executed agreements within 5 business days.

✉️ Request BAA Template
  • Who should request a BAA — Healthcare providers, health plans, healthcare clearinghouses, and their business associates that will send patient-related medicine images or health data through RxSnap.
  • BAA contacthipaa@rxsnap.app
  • Response time — We respond to all BAA inquiries within 2 business days.

🔗 Third-Party Sub-processors

RxSnap engages the following sub-processors in the delivery of its service. Each has been evaluated for data handling practices consistent with our HIPAA-aligned posture.

Sub-processor Purpose Data Involved Compliance Posture
Anthropic Claude API AI medicine identification, drug information synthesis Medicine images (in transit only, never stored by Anthropic under enterprise terms) Enterprise privacy terms; no training on API data
OpenFDA FDA-verified drug label data Medicine names only (no PHI transmitted) US government public database; no data retained
Railway Application infrastructure hosting Application code and SQLite database SOC 2 compliant infrastructure
Google Fonts Typography (Inter font) IP address only (standard CDN request) No health data involved

👤 Patient Rights

In accordance with the HIPAA Privacy Rule's individual rights provisions, RxSnap supports the following rights for individuals whose health data is processed through our service:

  • Right to access — Users can view all their stored scan history at any time within the Medicine Cabinet tab.
  • Right to deletion — Users can delete individual scans or entire family profiles (and all associated data) at any time, directly within the app. Enterprise partners may also request bulk deletion via API or by contacting us.
  • Right to know — Users and partners may request a full description of what medicine data is stored for a given profile or API key by contacting hipaa@rxsnap.app.
  • Right to restrict processing — Users may delete their data at any time. B2B partners may disable their API key to immediately stop all data processing.
📩
To exercise any of these rights, contact us at hipaa@rxsnap.app. We respond to all individual rights requests within 5 business days.

🚨 Incident Response

In the event of a security incident involving PHI, RxSnap follows the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D):

  • Detection and containment — Potential breaches are identified, contained, and assessed as promptly as possible.
  • Notification timeline — Affected covered entities and, where required, individuals are notified within 60 days of discovery of a breach, in accordance with the Breach Notification Rule.
  • Documentation — All incidents are documented including discovery date, scope of PHI involved, corrective actions taken, and notification timeline.
  • Dedicated security contact — Report suspected security issues to security@rxsnap.app. We treat all security reports as high priority.
🔐
To report a suspected security vulnerability or data incident, email security@rxsnap.app. We acknowledge all reports within 24 hours.

✉️ Contact & BAA Requests

For all HIPAA-related inquiries, BAA requests, individual rights requests, or security concerns, use the contacts below. We are committed to responding within 2 business days.

🏥
HIPAA & BAA Inquiries
hipaa@rxsnap.app
🔐
Security Incidents
security@rxsnap.app
💼
Sales & Enterprise
sales@rxsnap.app