Platform
Explore
CapabilitiesPricingDownload
LoginCreate your space

Legal

Acceptable Use Policy (AUP)AcknowledgementsAI Security & Privacy OverviewAudit Logging OverviewBusiness Associate Agreement (BAA)CCPA / LGPD / Privacy Frameworks StatementCookies PolicyData Backup Retention & Recovery PolicyData Deletion & Retention PolicyData Processing Addendum (DPA)EU-U.S. Data Privacy Framework StatementFSL LicenseGDPR Compliance StatementHIPAA ReadinessIncident Response & Breach Notification PolicyLegal HoldsPen-testing & Vulnerability ManagementPivot Platform LicensePrivacy PolicySIEM & DLP IntegrationsSub-processor ListTerms and Conditions of SaleTerms of ServiceUptime & TransparencyVulnerability Disclosure Policy
Back to legal

Nov 13, 2025

HIPAA Readiness

HIPAA Readiness

Table of Contents

OverviewWhen a BAA AppliesRequirements for HIPAA‑Eligible UseBoundaries: Where PHI Should Not ResideSecurity Practices (Summary)Subcontractors (Sub‑processors)Data Rights & Controls

This page explains how customers can use Pivot in a HIPAA‑eligible manner. It is an informational overview, not a certification of HIPAA compliance and not legal advice.

Overview

Pivot supports HIPAA‑eligible use cases when customers sign a Business Associate Agreement (BAA) with Pivot and configure the product appropriately. Customers remain responsible for their own HIPAA compliance, including workforce training and adhering to the “minimum necessary” standard.

When a BAA Applies

If you are a Covered Entity or Business Associate using Pivot to create, receive, maintain, or transmit Protected Health Information (PHI), Pivot acts as your Business Associate. You must have a signed BAA with Pivot before storing or processing PHI in the Services.

Requirements for HIPAA‑Eligible Use

To use Pivot with PHI, customers should:

  • Execute a BAA with Pivot.
  • Enable HIPAA‑eligible configurations (SSO/SAML where available, MFA for admins, role‑based access, retention controls).
  • Limit PHI to covered areas and supported integrations.
  • Apply administrative controls: train workforce, enforce least‑privilege access, monitor audit logs.

Boundaries: Where PHI Should Not Reside

Customers must not transmit PHI via:

  • Standard email support channels (unless Pivot designates a secure PHI channel).
  • Public community forums, feedback portals, or social media.
  • Third‑party integrations or exports that are not covered by a BAA with the customer and/or Pivot. Pivot will publish and maintain a list of HIPAA‑eligible product areas and supported integrations. For clarification, contact [email protected].

Security Practices (Summary)

Pivot maintains administrative, physical, and technical safeguards designed to meet the HIPAA Security Rule, including:

  • Encryption: TLS 1.2+ in transit; AES‑256 (or equivalent) at rest.
  • Access control: Role‑based access, least privilege, MFA for admin and production access, SSO/SAML where available.
  • Auditability: Administrative and security‑relevant events are logged and monitored.
  • Vulnerability & incident management: Secure SDLC, dependency scanning, remediation SLAs, documented incident response.
  • Backups & resiliency: Encrypted backups, disaster recovery with defined RTO/RPO.

Subcontractors (Sub‑processors)

Pivot engages vetted Subcontractors to help deliver the Services. Where those Subcontractors handle PHI on Pivot’s behalf, Pivot executes BAAs (or equivalent) with them. The current list of Sub‑processors is available here.

Data Rights & Controls

Customers control access, retention, deletion, and export of PHI stored in Pivot.

  • See Data Deletion & Retention Policy for timelines.
  • See Acceptable Use Policy for permitted use guidelines.