RunPractice provides AI-powered marketing and practice automation services for physician-owned medical practices. This HIPAA Notice describes how we handle Protected Health Information (PHI) and maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
1. Our Role
RunPractice acts as a Business Associate for covered entities (medical practices) that engage our services. We do not operate as a covered entity ourselves. Our obligations regarding PHI are defined by the Business Associate Agreement (BAA) executed with each applicable client.
2. PHI Handling
RunPractice does not store or process Protected Health Information (PHI) on our servers directly.
All PHI handling is routed through HIPAA-compliant third-party platforms with signed Business Associate Agreements, including:
- Jotform — patient intake forms and lead capture forms that may collect health-related information
- ActiveCampaign — email marketing and patient communication workflows (with BAA in place)
- Other HIPAA-compliant platforms — as needed for specific client workflows, each with signed BAAs
We evaluate every third-party vendor for HIPAA compliance before integrating it into a client's automation stack. Vendors that cannot provide a BAA are not used for workflows involving PHI.
3. What We Access
In the course of delivering our services, RunPractice team members may access:
- Practice operational data — scheduling workflows, appointment types, pricing, staff roles
- Lead and patient contact information — name, email, phone number (minimum necessary for marketing and communication automation)
- De-identified performance data — appointment counts, no-show rates, conversion metrics
We do not access, store, or process clinical records, diagnoses, treatment plans, medical histories, or billing codes unless explicitly authorized by the client under a BAA.
4. Business Associate Agreements
BAAs are available to all clients on Growth and Full Stack plans.
If your practice requires a Business Associate Agreement with RunPractice, we will execute one prior to accessing any data that may constitute PHI. Our standard BAA covers:
- Permitted uses and disclosures of PHI
- Safeguards to prevent unauthorized use or disclosure
- Breach notification procedures
- Return or destruction of PHI upon contract termination
- Individual rights regarding their PHI
Clients on the Starter plan who require a BAA should contact us to discuss options.
5. Security Measures
RunPractice implements administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements:
- Access controls — role-based access, unique user credentials, minimum necessary access
- Encryption — all data transmitted via TLS/SSL encryption
- Audit trails — logging of access to client systems and data
- Training — all team members complete HIPAA awareness training
- Vendor management — ongoing review of third-party platform compliance
6. Breach Notification
In the event of a breach of unsecured PHI, RunPractice will:
- Notify the affected client within 72 hours of discovering the breach
- Provide details of the breach including the nature of the PHI involved
- Cooperate with the client's breach response and notification obligations
- Take immediate steps to mitigate harm and prevent future incidents
7. Patient Rights
Patients of our client practices retain all rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. RunPractice will cooperate with client practices to fulfill patient rights requests as required by the BAA.
8. Contact
For HIPAA-related questions, BAA requests, or to report a concern:
RunPractice
Email: hello@runpractice.ai
Subject line: "HIPAA Inquiry"
Or visit our contact page.