What is ExaVeyra's role under HIPAA?

ExaVeyra may act as a Business Associate when we receive, create, or transmit Protected Health Information (PHI) on behalf of covered entities (e.g., clinics, practitioners). In such cases, we enter into Business Associate Agreements (BAAs) that define our obligations and safeguards.

Does ExaVeyra sign Business Associate Agreements?

Yes. Covered entities that share PHI with ExaVeyra for telehealth, intake processing, or clinical support may request a BAA. Contact us to initiate the process. BAAs are reviewed by our compliance team and executed before PHI is disclosed.

How does ExaVeyra protect health information?

We use administrative safeguards (policies, workforce training, risk assessments), physical safeguards (access controls, facility security), and technical safeguards (encryption, access logging, secure transmission) consistent with HIPAA Security Rule requirements.

What happens in the event of a breach?

In the event of an incident involving unsecured PHI, ExaVeyra follows HIPAA breach notification rules: we conduct a risk assessment, notify affected individuals and the Department of Health and Human Services as required, and cooperate with covered entities in their breach response obligations.

HIPAA Compliance — Regenerative Medicine

Last updated: February 2025

Overview

ExaVeyra Sciences takes the protection of health information seriously. The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations establish standards for the privacy and security of Protected Health Information (PHI). This page describes our approach to HIPAA compliance when we receive, create, maintain, or transmit PHI in connection with our services—including telehealth consultations, intake forms, partner programs, and clinical support.

Our Role Under HIPAA

ExaVeyra is a supplier of regenerative medicine products (exosomes, biologics, peptides) and medical devices to licensed healthcare providers. We also offer telehealth consultations and concierge medicine programs to individuals. Depending on the context:

Business Associate: When we perform functions or activities on behalf of a covered entity (e.g., a clinic) that involve PHI, we may be a Business Associate under HIPAA. In those cases, we enter into a Business Associate Agreement (BAA) that specifies our obligations.
Direct interactions: When individuals share health information with us for telehealth or concierge services, we handle that information in accordance with our Privacy Policy, HIPAA (where we act on behalf of a covered entity), and applicable state laws.

Not all information we collect is PHI. For example, general contact inquiries, wholesale application data (clinic name, license number), or non-health information are handled under our Privacy Policy rather than solely under HIPAA. When PHI is involved, we apply the safeguards described below.

Business Associate Agreements

Covered entities that disclose PHI to ExaVeyra for telehealth, intake processing, or other services may request a Business Associate Agreement. Our BAAs address:

Permitted uses and disclosures of PHI
Safeguards to protect PHI
Reporting of security incidents and breaches
Subcontractor obligations when PHI is shared
Return or destruction of PHI upon termination
Access to information for individual rights requests

To request a BAA or discuss HIPAA-related arrangements, please contact us via our Contact page. We will connect you with our compliance team to initiate the process.

Administrative Safeguards

We maintain administrative policies and procedures designed to protect PHI:

Workforce training: Employees with access to PHI receive HIPAA awareness and security training and are bound by confidentiality obligations.
Minimum necessary: We limit PHI access and disclosure to the minimum necessary to accomplish the intended purpose.
Risk management: We conduct risk assessments and implement mitigation measures to reduce risks to the confidentiality, integrity, and availability of PHI.
Incident response: We have procedures to identify, contain, and report security incidents and breaches.

Physical Safeguards

Physical safeguards address facility access, workstation use, and device controls:

Controlled access to facilities where PHI may be processed
Workstation security and clean-desk practices
Proper disposal of documents and media containing PHI
Device and media controls for laptops, removable media, and backups

Technical Safeguards

We implement technical measures to protect PHI:

Encryption: PHI in transit is protected using TLS/HTTPS. PHI at rest is encrypted using industry-standard methods.
Access controls: Unique user identification, automatic logoff, and role-based access limit who can view or modify PHI.
Audit controls: We log access and activity related to PHI to support accountability and incident response.
Integrity: We use mechanisms to protect against unauthorized alteration or destruction of PHI.

Our technology vendors (hosting, telehealth platforms, CRM) are selected with HIPAA compliance in mind, and we require BAAs or equivalent assurances where they process PHI on our behalf.

Breach Notification

In the event of a breach of unsecured PHI, ExaVeyra follows HIPAA's breach notification rule:

We conduct a risk assessment to determine whether there is a low probability that PHI has been compromised.
If notification is required, we notify affected individuals without unreasonable delay and in no case later than 60 days after discovery.
We notify the Secretary of the U.S. Department of Health and Human Services as required by HIPAA.
When we act as a Business Associate, we notify the covered entity so it can meet its own notification obligations.

Individual Rights

When we maintain PHI on behalf of a covered entity, individual rights (access, amendment, accounting of disclosures, restrictions, confidential communications) are generally exercised through the covered entity. We support covered entities in fulfilling those requests. For PHI we hold in our capacity as a direct service provider (e.g., telehealth), we will honor applicable requests in accordance with HIPAA and our Privacy Policy.

Questions & Contact

For questions about our HIPAA compliance practices, BAA requests, or security-related concerns, please contact us via our Contact page. We will direct your inquiry to our compliance team.