HIPAA Compliance

Last updated: March 5, 2026

1. Overview

BarMake is committed to supporting healthcare organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). This page describes the administrative, physical, and technical safeguards we implement to protect Protected Health Information (PHI).

2. Business Associate Agreement (BAA)

BarMake Enterprise customers who process PHI through our platform can request a signed Business Associate Agreement. To request a BAA, contact us at support@barmake.app.

3. Data Encryption

  • In Transit: All data is encrypted using TLS 1.2+ (HTTPS) for every API call and web page.
  • At Rest: Database records are stored on encrypted volumes. TOTP secrets use AES-256-GCM encryption. Backup codes are bcrypt-hashed.
  • IP Hashing: IP addresses are hashed with HMAC-SHA256 and never stored in plain text.

4. Access Controls

  • Firebase Authentication with support for email/password, Google SSO, and TOTP-based multi-factor authentication (MFA).
  • Role-based access control (RBAC) with owner, admin, and member roles for team workspaces.
  • Per-resource ownership verification on all API endpoints.
  • API key authentication with scoped permissions for programmatic access.

5. Audit Logging

BarMake maintains comprehensive audit logs for all data access and modifications. Audit records include the user identity, timestamp, action performed, and affected resources. Logs are retained for a minimum of 6 years per HIPAA requirements.

6. PHI Handling Guidelines

  • Do not encode PHI directly in QR code content. Use dynamic QR codes that link to authenticated, access-controlled systems.
  • Enable MFA for all user accounts that interact with PHI-related QR codes.
  • Use team workspaces with appropriate RBAC to limit access to authorized personnel.
  • Set QR code expiration dates to minimize exposure windows.

7. Incident Response

In the event of a data breach involving PHI, BarMake will notify affected covered entities within 24 hours of discovery, provide detailed breach reports, and cooperate fully with breach notification requirements under the HIPAA Breach Notification Rule (45 CFR Parts 160 and 164).

8. Contact

For HIPAA-related inquiries, BAA requests, or to report a security concern, contact our compliance team at support@barmake.app.