Legal · Healthcare

HIPAA Notice

Last updated: November 1, 2026

Reliom is designed to help healthcare practices — dental offices, medical practices, med spas, and other covered entities — communicate with patients in a manner consistent with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HITECH Act.

1. Business Associate Agreement (BAA)

When Reliom processes Protected Health Information (“PHI”) on your behalf, we act as a Business Associate. We will enter into a Business Associate Agreement with covered entities on request at no additional charge. Contact hipaa@reliom.com to request a BAA.

2. Safeguards

Reliom implements administrative, physical, and technical safeguards including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls with least-privilege permissions.
  • Comprehensive audit logging of PHI access and changes.
  • Secure infrastructure hosted with SOC 2-audited cloud providers.
  • Regular vulnerability scanning and periodic third-party security review.
  • Workforce training on HIPAA privacy and security.
  • Incident response procedures and breach notification protocols.

3. Patient Communication

Reliom lets your team communicate with patients over SMS, email, secure web chat, and social channels. Because SMS and email are not fully encrypted end-to-end at the carrier level, we recommend limiting PHI in outbound messages to what is minimally necessary (e.g., appointment date and time), and using authenticated portals or direct calls for detailed clinical information.

4. Access Controls

Administrators can configure user roles, restrict access to specific patients or teams, enforce strong passwords, require multi-factor authentication, and revoke access immediately when a workforce member departs.

5. Data Retention & Disposal

Customer PHI is retained for the duration of your subscription and any legally required period thereafter. Upon written request following termination, Reliom will return or securely destroy PHI in accordance with the BAA.

6. Breach Notification

In the unlikely event of a breach of unsecured PHI, Reliom will notify affected covered entities without unreasonable delay and in accordance with HIPAA and the BAA.

7. Subcontractors

Reliom uses vetted subcontractors (hosting, message delivery, monitoring) that agree to BAA obligations where they may access PHI.

8. Customer Responsibilities

  • Executing a BAA before sending PHI through the Services.
  • Configuring users, roles, and permissions appropriately.
  • Obtaining patient consent to communicate over the channels you use.
  • Following your practice's own HIPAA policies and workforce training.

9. Disclaimer

This Notice is informational and does not constitute legal advice. HIPAA compliance is a shared responsibility between Reliom and the covered entity. Consult qualified counsel for advice specific to your practice.

10. Contact

For BAAs, security questions, or breach reports, email hipaa@reliom.com.