Labs & Health

HIPAA Notice & Disclaimer

Effective date: April 19, 2026

Read this before entering any PHI

Labs & Health is workflow software. We are not a covered entity under HIPAA. If you process Protected Health Information (PHI) using this platform, you are the covered entity or business associate and are responsible for HIPAA compliance at your operational level.

1. Who we are under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) defines “covered entities” (health plans, health care clearinghouses, and most health care providers) and “business associates” (vendors that handle PHI on behalf of a covered entity). Labs & Health sells general workflow software and directly serves end users; we are not a covered entity.

If you are a covered entity (for example, a clinical laboratory or phlebotomy practice) and you use our platform to create, receive, maintain, or transmit PHI, we may function as your business associate — but only where a signed Business Associate Agreement (BAA) is in place between you and Labs & Health.

2. Your responsibilities

Compliance with HIPAA at the operational level is your responsibility as the covered entity or business associate. This includes, among other things:

  • Conducting and documenting your own HIPAA Security Risk Assessment;
  • Implementing administrative, physical, and technical safeguards appropriate to your operations;
  • Training your workforce on HIPAA Privacy and Security Rules;
  • Ensuring you have a signed BAA in place with every business associate that handles PHI on your behalf (including us, if applicable);
  • Providing patient notices and honoring patient rights under the Privacy Rule;
  • Reporting any breach of unsecured PHI as required by the HIPAA Breach Notification Rule.

3. Business Associate Agreements (BAAs)

We offer Business Associate Agreements on our paid plans. If your organization is a covered entity or business associate, you should sign a BAA with us before entering any PHI into the platform. To request a BAA, contact support@labsandhealth.com.

Without a signed BAA, you should not enter PHI into the Service.

4. Platform safeguards

Technical controls we provide

  • Encryption in transit— TLS 1.2+ on all connections to the platform.
  • Encryption at rest— database storage and backups encrypted by our infrastructure providers.
  • Isolated data per organization— row-level security (RLS) in Postgres scopes records to the organization that created them.
  • Role-based access control— you define which team members can see or modify records.
  • Audit logs(Pro plan) — trace key record access and modification events.
  • Authentication— credential-based and provider-based sign-in backed by industry-standard session handling.
  • Subprocessor due diligence— our infrastructure providers (see our Privacy Policy) are contractually bound to appropriate security standards.

These safeguards support HIPAA compliance but do not by themselves make your use of the Service HIPAA-compliant. Operational safeguards, workforce training, and written policies remain your responsibility.

5. What not to do

  • Do not send PHI to our support email unless we have confirmed a secure channel.
  • Do not share account credentials across individuals; provision each workforce member an individual user account.
  • Do not enter PHI into free-form fields that do not logically call for it (for example, organization name or public notes).
  • Do not enter PHI into the platform if a BAA is required by your compliance posture and has not yet been signed.

6. Contact

For BAA requests or HIPAA-related questions, email support@labsandhealth.com.

This notice is informational only and is not legal advice. HIPAA compliance is fact-specific. Consult qualified legal counsel and your compliance officer to determine the requirements applicable to your organization.