Healthcare information deserves the highest standard of protection. MaveRx operates as a HIPAA-aware Business Associate and maintains documented safeguards across every engagement where protected health information may be involved.
Last Updated: June 1, 2025
Contents
MaveRx Services operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164) when our services involve access to Protected Health Information (PHI) maintained by a Covered Entity.
As a Business Associate, MaveRx is directly subject to the HIPAA Security Rule and the applicable provisions of the Privacy Rule. We take this obligation seriously and structure our operations, technology, and workforce to maintain full compliance.
Importantly, our public website and intake forms do not collect PHI. The assessment process at the engagement level operates under appropriate BAA protections. Rebate submissions to pharmaceutical manufacturers generally involve aggregate dispensing data (NDC codes, volume), not patient-level records.
Protected Health Information is individually identifiable health information transmitted or maintained in any form. In the context of MaveRx services, PHI could arise in scenarios such as:
Important note
Manufacturer rebate submissions are typically structured to use aggregate dispensing statistics and NDC codes — not patient-level data. Where individual-level data is required by a program, MaveRx works with your practice to ensure the appropriate authorization and de-identification processes are in place.
When our services involve access to Protected Health Information (PHI), MaveRx executes Business Associate Agreements (BAAs) with covered entities as required under 45 CFR §164.308. All downstream subcontractors who may access PHI are similarly bound.
We apply the HIPAA Minimum Necessary standard rigorously — accessing, using, and disclosing only the minimum amount of PHI necessary to accomplish each specific service function. We do not use PHI for purposes beyond those defined in our BAA.
MaveRx maintains documented HIPAA policies and procedures, conducts workforce training on PHI handling, and designates a responsible compliance contact for all HIPAA-related matters. Access to PHI is role-based and logged.
All PHI transmitted between MaveRx and client systems is encrypted in transit using TLS 1.2 or higher. PHI stored in our systems is encrypted at rest. Access is controlled through authentication, and audit logs are maintained.
MaveRx uses HIPAA-compliant cloud infrastructure hosted by vetted providers with SOC 2 certifications. Physical access to systems containing PHI is controlled and logged. Workstations that may access PHI are secured and subject to our acceptable use policy.
In the event of a confirmed breach involving unsecured PHI, MaveRx follows the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). We will notify the covered entity without unreasonable delay and no later than 60 days following discovery, with all required information per 45 CFR §164.410.
If your practice is a HIPAA Covered Entity and your engagement with MaveRx Services will involve access to PHI, a BAA is required before any PHI is shared. MaveRx maintains a standard BAA template that meets all HIPAA requirements under 45 CFR §164.504(e).
To request a BAA or to review our template before engagement, please contact us at the address below. We typically process BAA requests within 3–5 business days.
For HIPAA compliance inquiries, breach concerns, or BAA requests, contact our compliance contact directly:
MaveRx Services — Compliance
allison@maverxservices.comDisclaimer: This page describes MaveRx Services' HIPAA compliance posture and is provided for informational purposes. It does not constitute legal advice. Your organization's specific compliance obligations depend on your operations, the nature of the PHI you handle, and applicable regulations. We encourage you to consult qualified legal and compliance counsel for guidance specific to your practice.