Trust & Compliance
HIPAA Compliance
Business Associate Agreement available for qualified clinical customers
Last updated: April 13, 2026
FoxtInn serves healthcare and clinical facilities that require compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). This page outlines how FoxtInn supports HIPAA compliance for qualified clinical Customers.
Important Notice
FoxtInn is a workforce management and operations platform, not an Electronic Health Record (EHR) or clinical system. HIPAA compliance applies only when Customers who are Covered Entities or Business Associates use FoxtInn to process Protected Health Information (PHI). Customers must execute a Business Associate Agreement (BAA) with FoxtInn before transmitting any PHI through the platform.
1. Business Associate Agreement (BAA)
FoxtInn offers a Business Associate Agreement to qualified clinical Customers. The BAA establishes FoxtInn as a Business Associate under HIPAA and defines our obligations regarding PHI, including:
- Permitted uses and disclosures of PHI
- Safeguards required to prevent unauthorized use or disclosure
- Breach notification procedures
- Requirements for subcontractors (subprocessors) who handle PHI
- Individual rights regarding their PHI
- Termination provisions and data return/destruction
To request a BAA: Contact privacy@foxtcon.com with the subject line “BAA Request - [Your Business Name].”
2. Who Qualifies?
A BAA is available to Customers who are:
- Covered Entities: Healthcare providers (clinics, medical offices, dental practices, physical therapy centers), health plans, and healthcare clearinghouses.
- Business Associates: Organizations that perform functions on behalf of Covered Entities involving the use or disclosure of PHI.
Customers must be on a Pro or Portfolio plan to execute a BAA, as HIPAA compliance requires features not available on the Free plan.
3. Administrative Safeguards
| HIPAA Requirement | FoxtInn Implementation |
|---|---|
| Security Management Process (164.308(a)(1)) | Documented risk analysis and risk management program; annual security assessments |
| Workforce Security (164.308(a)(3)) | Background checks for all personnel; role-based access controls; access provisioning/deprovisioning procedures |
| Information Access Management (164.308(a)(4)) | Least-privilege defaults; property-scoped data isolation; access reviews |
| Security Awareness Training (164.308(a)(5)) | Annual security and privacy training for all personnel with access to customer data |
| Security Incident Procedures (164.308(a)(6)) | Documented incident response plan with defined severity levels and 24/7 on-call rotation |
| Contingency Plan (164.308(a)(7)) | Daily backups, tested disaster recovery procedures, multi-AZ redundancy |
4. Technical Safeguards
| HIPAA Requirement | FoxtInn Implementation |
|---|---|
| Access Control (164.312(a)(1)) | OTP-based authentication; JWT 15-minute sessions; MFA for admin access; unique user identification |
| Audit Controls (164.312(b)) | Comprehensive audit logging of all access to systems and data; minimum 180-day log retention; immutable log storage |
| Integrity (164.312(c)(1)) | Data integrity verification; checksums; version history; tamper-evident audit trails |
| Transmission Security (164.312(e)(1)) | TLS 1.2+ for all data in transit; certificate validation; HSTS enabled |
| Encryption (164.312(a)(2)(iv)) | AES-256 encryption at rest via AWS KMS; automatic key rotation |
5. Physical Safeguards
FoxtInn’s infrastructure is hosted on Amazon Web Services (AWS), which maintains SOC 2, ISO 27001, and HIPAA compliance certifications for its physical data center facilities. AWS facilities provide:
- 24/7 physical security with biometric access controls
- Environmental controls (fire suppression, climate control, redundant power)
- Video surveillance and intrusion detection
- Visitor access logs and escort requirements
6. Breach Notification
In the event of a breach of unsecured PHI, FoxtInn will:
- Notify the Customer (Covered Entity) without unreasonable delay and no later than 60 days from discovery of the breach.
- Provide details including: identification of each individual affected (if known), description of the types of PHI involved, recommended steps individuals should take, description of what FoxtInn is doing to investigate and mitigate.
- Cooperate with the Customer in fulfilling their notification obligations to the Secretary of HHS and affected individuals.
- Document the breach in an internal breach log maintained for a minimum of 6 years.
7. PHI Data Handling
7.1 What PHI May Be Processed
When a BAA is in place, the following types of information may be processed through FoxtInn:
- Patient/client names and contact information (in appointment or task context)
- Appointment scheduling information
- Service request details (e.g., patient check-in, room/station assignment)
- Staff communications about patient care coordination
7.2 What PHI Should NOT Be Entered
FoxtInn is not an EHR system. The following should not be entered into FoxtInn, even with a BAA:
- Medical diagnoses, treatment plans, or clinical notes
- Lab results or imaging reports
- Insurance information, policy numbers, or claims data
- Social Security numbers or government-issued IDs
- Payment card data (handled by PCI-compliant payment processor)
8. Minimum Necessary Standard
FoxtInn implements the HIPAA Minimum Necessary standard: our platform and personnel only access the minimum amount of PHI necessary to perform a given function. Role-based access controls ensure that staff members see only the data relevant to their role and property assignment.
9. Data Retention & Destruction
- Active Accounts: PHI is retained for the duration of the BAA and active subscription.
- Termination: Upon termination, Customer has 30 days to export PHI. FoxtInn then deletes PHI from production systems within 30 days and purges backups within 90 days.
- Destruction Certificate: A written certification of PHI destruction is provided upon Customer’s written request.
- Legal Holds: PHI may be retained beyond the standard period if required by law.
10. Subprocessors & PHI
When a BAA is in place, FoxtInn ensures that any subprocessor handling PHI has executed appropriate Business Associate or subcontractor agreements. Current subprocessors with potential PHI access:
| Subprocessor | Role | HIPAA Status |
|---|---|---|
| Amazon Web Services | Cloud infrastructure & storage | BAA in place; HIPAA eligible services |
| Stripe | Payment processing | No PHI access (payment data only) |
Note: AI Features (LALA Virtual GM) are not enabled for PHI processing unless explicitly authorized under the BAA and with additional safeguards in place.
11. Customer Responsibilities
Customers using FoxtInn under a BAA are responsible for:
- Determining what PHI, if any, is appropriate to process through FoxtInn
- Training their staff on proper use of the platform with PHI
- Configuring access controls and user roles appropriately
- Maintaining their own HIPAA compliance program
- Notifying FoxtInn if PHI is inadvertently entered without a BAA in place
- Responding to individual rights requests related to PHI
12. Contact
BAA Requests: privacy@foxtcon.com (subject: “BAA Request”)
Privacy: privacy@foxtcon.com
Security: security@foxtcon.com