For healthcare practices, protecting patient information is both a legal obligation and a matter of trust. This page explains, in plain terms, how HIPAA relates to Geckonaut and how Business Associate Agreements are handled for healthcare clients.
A fuller, plain-English explanation of Geckonaut's security approach is available on the Security & Compliance page.
HIPAA — the Health Insurance Portability and Accountability Act — sets U.S. national standards for protecting patient health information. Its Privacy Rule protects patient information, and its Security Rule sets standards for securing electronic patient data.
Under HIPAA, a healthcare practice is a "covered entity," and a vendor that handles patient data on the practice's behalf is a "business associate." A Business Associate Agreement is the contract that formally extends HIPAA obligations to that vendor.
Geckonaut is built on infrastructure that supports an optional, account-wide HIPAA compliance package. This package is not active by default — it is enabled for healthcare clients who require it.
When enabled, the package brings the controls a healthcare practice needs, including encryption of electronic protected health information, account-wide audit logging, and enforced multi-factor authentication.
To be reviewed: A compliance attorney should confirm this description against the current capabilities of the underlying platform at the time of publication, and update it if Geckonaut's HIPAA posture changes.
When the HIPAA compliance package is enabled for a healthcare client, a Business Associate Agreement is part of that process. It is set up with the client during onboarding, before patient data is involved.
To be completed: The actual Business Associate Agreement — or a link to it — and any explanation of its terms must be drafted and reviewed by a qualified healthcare-compliance attorney. Until that is in place, no BAA terms should be published or implied here. Geckonaut should not represent that a BAA is in effect for any client until one has been properly executed.
For healthcare practices, HIPAA requirements are reviewed together during onboarding. The appropriate compliance package and agreements are put in place before any patient data is handled.
To be reviewed: A compliance attorney should confirm the accuracy of the onboarding process described here once the HIPAA package and BAA process are finalized.
Healthcare practices with questions about HIPAA, Business Associate Agreements, or how Geckonaut would handle their requirements are welcome to reach out before getting started.
To be completed: A contact method for compliance inquiries — a dedicated email or mailing address. Until one is added here, the contact page can be used to reach Geckonaut.