HIPAA Compliant

HIPAA Compliance

How Phyxem protects Protected Health Information (PHI)

Last updated: April 10, 2026

Our Commitment

Phyxem AI Suite is built from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). We understand that healthcare providers trust us with their most sensitive data — patient health information — and we take that responsibility seriously.

Nuvian Labs LLC, the operator of Phyxem, acts as a Business Associate under HIPAA when processing Protected Health Information (PHI) on behalf of Covered Entities. We are prepared to sign a Business Associate Agreement (BAA) with every customer who handles PHI.

Administrative Safeguards

Security Officer: A designated Security Officer oversees our HIPAA compliance program and PHI handling policies.
Workforce training: All Nuvian Labs personnel receive HIPAA training upon hire and annually thereafter.
Access management: Access to PHI is restricted to personnel with a legitimate business need, governed by the principle of least privilege.
Incident response: We maintain a documented incident response plan for security events involving PHI.
Risk assessments: We perform annual HIPAA security risk assessments and address findings promptly.
Business Associate Agreements: We sign BAAs with every subprocessor that may handle PHI on our behalf.

Technical Safeguards

Encryption at Rest

PHI is encrypted with AES-256-GCM before being written to the database. Field-level encryption protects patient records even from database administrators.

Encryption in Transit

All network traffic uses TLS 1.3. Internal service-to-service communication is encrypted. No PHI is ever transmitted over unencrypted channels.

Audit Logging

Every PHI access is logged with user identity, timestamp, action taken, and record identifier. Logs are tamper-evident and retained for 7 years.

Access Controls

Role-based access control (RBAC) enforces least-privilege access. Multi-factor authentication is required for administrative access.

Data Integrity

Database backups are taken hourly and encrypted. We use cryptographic checksums to detect unauthorized modification of PHI.

Automatic Logoff

Inactive sessions are automatically terminated. Session tokens have short lifetimes and require re-authentication for sensitive operations.

Physical Safeguards

Phyxem runs on cloud infrastructure provided by Vercel, AWS (via Supabase), and Neon Postgres — all of which maintain SOC 2 Type II certifications and have documented physical security controls including 24/7 monitored data centers, biometric access controls, and redundant power and cooling.

Nuvian Labs does not operate its own physical data centers. All PHI is stored in the United States in HIPAA-eligible cloud regions.

Breach Notification

In the event of a breach involving unsecured PHI, we will notify affected Covered Entities without unreasonable delay and in any case within 60 days of discovery, as required by the HIPAA Breach Notification Rule. Our incident response team is equipped to investigate, contain, and remediate security incidents 24/7.

Subprocessors

Phyxem uses the following HIPAA-compliant subprocessors to deliver the Service. We maintain BAAs with each of them:

Vercel: Application hosting and edge network
Supabase: Authentication and Postgres database
Neon: Serverless Postgres for analytics
Twilio: SMS and voice communications
Photon Health: E-prescribing infrastructure
Sentry: Error monitoring (PHI-scrubbed)

Patient Rights

HIPAA grants patients specific rights regarding their PHI. Phyxem provides our customers with the tools to honor these rights:

Right to access: Patients can view and export their records through the patient portal
Right to amendment: Practices can update patient records at the patient's request
Right to accounting of disclosures: Our audit logs capture every access for review
Right to restriction: Practices can configure data sharing preferences per patient
Right to confidential communications: Patients can specify preferred contact methods

Business Associate Agreement

We will execute a Business Associate Agreement with any customer who is a Covered Entity or Business Associate under HIPAA. Our standard BAA addresses permitted uses, safeguards, reporting obligations, subcontracting, and termination consistent with 45 CFR § 164.504(e).

To request a BAA, contact compliance@nuvianlabs.com.

Your Responsibilities

HIPAA compliance is a shared responsibility between Nuvian Labs and our customers. While we provide the technical and organizational safeguards described above, Covered Entities remain responsible for:

Maintaining appropriate workforce training on HIPAA within their own organization
Configuring user accounts with appropriate role-based permissions
Obtaining proper patient authorizations and consents
Notifying Nuvian Labs of workforce changes that affect access
Using the platform in accordance with the executed BAA

Contact Our Compliance Team

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern:

Nuvian Labs LLC

Email: compliance@nuvianlabs.com

Security: security@nuvianlabs.com

Phyxem