How PillCoach protects patient health information
PillCoach is a comprehensive, all in one pharmacy platform built from the ground up to meet the security and privacy requirements of HIPAA (the Health Insurance Portability and Accountability Act of 1996), the HITECH Act, and the Omnibus Rule. Our platform handles a broad scope of PHI across medication adherence management, MTM workflows, clinical monitoring, patient communications, telehealth, and financial performance tracking. As a Business Associate to pharmacies and health plans, we take our responsibility to protect Protected Health Information (PHI) seriously. This page outlines the administrative, technical, and physical safeguards we have in place.
PillCoach operates as a Business Associate under HIPAA. When pharmacies and health plans use our platform, we may receive, process, and store PHI across a wide range of clinical and operational workflows. This includes PDC adherence data across all major measures plus HIV and SUPD, MTM encounter data from CMRs, MedRecs, and MedGuide distribution, clinical monitoring results for blood pressure, blood glucose, pulse oximetry, weight, A1C, and cholesterol labs, vaccine administration records, secure patient communications via text, fax, and telehealth, appointment scheduling data, prescription reimbursement and financial performance data, and integration data from pharmacy management systems including PioneerRx, Liberty, and PrimeRx. We execute Business Associate Agreements (BAAs) with every covered entity client before any PHI is transmitted to our platform. Our BAAs clearly define permitted uses and disclosures of PHI, breach notification obligations and timelines, subcontractor requirements, and data return and destruction procedures upon termination.
Designated Privacy and Security Officers oversee all HIPAA compliance activities. All employees and contractors undergo HIPAA training upon hire and receive annual refresher training. We maintain comprehensive written policies and procedures covering data access, incident response, breach notification, and workforce sanctions. Risk assessments are conducted annually and whenever material changes are made to our systems or processes. We maintain a formal incident response plan with defined escalation paths and notification timelines that meet or exceed the 60 day HIPAA breach notification requirement.
PillCoach implements robust technical controls to protect electronic protected health information (ePHI) throughout our platform. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES 256 encryption. Our infrastructure is hosted on Microsoft Azure, which maintains its own HIPAA compliance certifications and BAA with PillCoach. Access to ePHI is governed by role based access controls (RBAC) with the principle of least privilege. Multi factor authentication (MFA) is required for all administrative access and strongly encouraged for all users. Unique user IDs ensure individual accountability, and access rights are reviewed quarterly and revoked immediately upon role change or termination.
Comprehensive audit logging tracks all access to ePHI including user identity, timestamp, action performed, and data accessed. Logs are retained in tamper evident storage and reviewed regularly for anomalous activity. Automated session timeouts terminate inactive sessions to prevent unauthorized access. Our platform undergoes regular vulnerability assessments and penetration testing by qualified third party security firms. Critical patches are applied within 24 hours of release, and all code changes follow secure development lifecycle practices with peer review requirements.
PillCoach's infrastructure is hosted in Microsoft Azure data centers that maintain SOC 2 Type II certification, ISO 27001 compliance, and HIPAA attestation. These facilities employ 24/7 security personnel, biometric access controls, video surveillance, and environmental protections including fire suppression and redundant power systems. PillCoach employees work in secure environments with encrypted workstations, automatic screen locks, and full disk encryption. Remote work policies require use of company managed devices with endpoint detection and response (EDR) solutions. Physical media containing ePHI is securely destroyed using NIST 800 88 compliant methods when decommissioned.
In the event of a breach of unsecured PHI, PillCoach follows a formal incident response and breach notification process. We will notify affected covered entities without unreasonable delay and no later than 30 days after discovery of a breach, well within the HIPAA mandated 60 day window. Our breach notification includes identification of the nature and scope of the breach, the types of PHI involved, steps individuals should take to protect themselves, a description of our investigation and mitigation efforts, and contact information for follow up inquiries. We cooperate fully with covered entities in fulfilling their notification obligations to affected individuals, the Department of Health and Human Services (HHS), and media outlets where required by law.
PillCoach requires all subcontractors and third party service providers who may access, process, or store ePHI to execute Business Associate Agreements before receiving any protected data. We conduct security assessments of subcontractors prior to engagement and periodically thereafter. Subcontractors are contractually obligated to implement safeguards at least as stringent as those maintained by PillCoach and must report any security incidents promptly. Our vendor management program includes ongoing monitoring of subcontractor compliance status and security posture.
PillCoach supports covered entities in fulfilling their obligations regarding patient rights under HIPAA. While patients interact primarily with their pharmacy or health plan (the covered entity), our platform is designed to facilitate compliance with the right to access PHI, the right to request amendments, the right to an accounting of disclosures, and the right to request restrictions on certain uses or disclosures. Our systems maintain detailed audit trails that enable covered entities to respond to patient requests accurately and within required timeframes. We cooperate promptly with covered entities to fulfill any patient rights requests that involve data stored or processed on our platform.
HIPAA compliance is not a one time event. PillCoach maintains a continuous compliance program that includes annual risk assessments aligned with NIST Cybersecurity Framework guidelines, regular internal audits of policies, procedures, and technical controls, continuous monitoring of system access and security events through our SIEM platform, periodic third party penetration testing and vulnerability assessments, ongoing workforce training with documented completion records, and regular review and updates of all policies to reflect changes in regulations, technology, and business operations. We stay current with HHS guidance, OCR enforcement actions, and evolving healthcare cybersecurity threats to ensure our safeguards remain effective and compliant.
If you have questions about PillCoach's HIPAA compliance program, need to report a potential security concern, or wish to request a copy of our Business Associate Agreement, please contact us at info@pillcoach.co. We are committed to transparency and will respond to compliance related inquiries promptly.
PillCoach proactively aligns with the 2026 HIPAA Security Rule updates, which represent the most significant changes to HIPAA security requirements since the original rule. Key changes we have adopted include mandatory encryption for all ePHI at rest (AES 256) and in transit (TLS 1.3), eliminating the previous distinction between "required" and "addressable" specifications. Multi factor authentication is now required for all interactive workforce access to ePHI, with phishing resistant methods such as FIDO2 compliant security keys and biometric verification as our standard. All security controls are now treated as required implementation specifications with documented exceptions requiring compensating controls and risk based justification. We maintain immutable audit logs as primary evidence of compliance, consistent with the updated HHS enforcement framework. Network segmentation is implemented to contain potential cyberattacks and limit lateral movement within our infrastructure. These updates reflect our commitment to exceeding minimum compliance thresholds and maintaining security practices aligned with the evolving threat landscape facing healthcare technology platforms.
PillCoach conducts comprehensive risk analyses aligned with the NIST Cybersecurity Framework and HIPAA Security Rule requirements. Our risk management program includes annual enterprise wide risk assessments covering all systems that create, receive, maintain, or transmit ePHI. Threat identification and vulnerability assessments are performed using industry standard methodologies. Each identified risk is evaluated based on likelihood and potential impact, with documented mitigation plans and residual risk acceptance decisions. Risk assessments are also triggered by material changes to our systems, infrastructure, or business operations, as well as in response to significant security incidents. Risk register findings are reviewed quarterly by our Security team and reported to executive leadership. Our risk management process is documented and auditable, meeting the 2026 requirement for risk analyses to serve as primary evidence during OCR investigations.
PillCoach maintains a comprehensive contingency plan to ensure the availability and integrity of ePHI in the event of an emergency or system failure. Our disaster recovery program includes automated daily backups of all ePHI with encrypted offsite replication across geographically separated Azure regions. A documented disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) appropriate for healthcare operations. Regular disaster recovery testing, including annual full recovery simulations and quarterly backup restoration verification. An emergency mode operations plan that enables critical platform functions to continue during infrastructure failures. Business impact analysis updated annually to identify critical systems and prioritize recovery efforts. Incident response team with defined roles, communication protocols, and escalation procedures available around the clock.
PillCoach maintains a formal sanctions policy for workforce members who violate HIPAA policies or procedures. All employees and contractors acknowledge their HIPAA obligations in writing upon onboarding. Violations are investigated promptly by our Privacy and Security Officers, with sanctions ranging from additional training and formal written warnings to suspension of access privileges and termination of employment or contract, depending on the severity and nature of the violation. Intentional or repeated violations, unauthorized access to ePHI, or failure to report known security incidents are treated as serious offenses subject to immediate termination and potential referral to law enforcement. Sanctions are documented and retained as part of our compliance records. This accountability framework ensures that every individual with access to ePHI understands the consequences of non compliance and reinforces a culture of security across our organization.
The healthcare regulatory landscape evolves continuously. PillCoach maintains a dedicated regulatory change management process to ensure our compliance posture adapts accordingly. We actively monitor HHS and OCR rulemaking, enforcement actions, and guidance publications. We track state level health data privacy laws that may impose additional requirements on our operations or our clients. Policy and procedure updates are implemented within defined timelines following regulatory changes, with affected workforce members receiving updated training. We engage qualified external counsel and compliance consultants to validate our interpretation of new requirements. Our clients are notified of material regulatory changes that may affect their use of the Services or their own compliance obligations. This page is reviewed and updated at least annually, or more frequently as regulatory changes warrant.