← Back to Home

HIPAA Compliance

Last Updated: April 2026

Our Commitment

Orbiit Services Inc. builds technology for healthcare. Our product platforms are designed to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. Compliance is the architecture, not an add-on.

This page describes our company-level HIPAA posture. This website (orbiitservices.com) is an informational site and does not collect, store, or transmit Protected Health Information (PHI). The compliance practices described below apply to our product platforms, including Recovery Ecosystem.

Compliance Program

Our HIPAA compliance program covers:

  • Administrative Safeguards: Policies for security management, workforce training, and incident response.
  • Physical Safeguards: SOC 2 Type II certified data centers with endpoint security controls.
  • Technical Safeguards: Encryption at rest and in transit, role-based access control (RBAC), audit logging, and secure authentication.
  • Organizational Requirements: Business Associate Agreements (BAAs) with all third-party service providers that handle PHI.

How We Protect Health Information

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (database-level encryption).
  • Access Controls: Role-based access with minimum necessary access principles.
  • Audit Logging: Comprehensive logs of all access to PHI.
  • Secure Authentication: Staff use SSO with MFA. Patients receive secure magic links that expire after use.

Patient Rights Under HIPAA

Users of our product platforms have the following rights:

  • Right to Access: Request and receive a copy of your health information.
  • Right to Amend: Request corrections to your health information.
  • Right to an Accounting: Request a list of certain disclosures of your health information.
  • Right to Request Restrictions: Request limits on the use or disclosure of your health information.
  • Right to Confidential Communications: Request that we communicate with you in specific ways.
  • Right to a Paper Copy: Request a paper copy of any privacy notice.

Business Associate Agreements

All third-party service providers that process PHI on our behalf have executed Business Associate Agreements. Our primary infrastructure partner is Microsoft Azure (cloud hosting and database). SMS communications via Twilio do not transmit PHI; sensitive health information is accessed only through secure authenticated links.

Breach Notification

In the event of a breach of Protected Health Information, affected users and appropriate authorities will be notified as required by federal law. Our incident response procedures cover detection, mitigation, documentation, reporting, and corrective action.

Questions or Concerns

Orbiit Services Inc.
Email: [email protected]