Compliance
HIPAA Compliance
BlackDrivo takes the security and privacy of protected health information seriously. Our compliance framework meets HIPAA requirements for medical transportation providers and healthcare facility partners.
Our commitment
Data protection is core to our service
When healthcare facilities trust BlackDrivo to transport their patients, they are entrusting us with sensitive protected health information. We treat that trust as a core responsibility — maintaining strict technical, administrative, and physical safeguards that meet or exceed HIPAA Security Rule requirements.
Framework
Our HIPAA safeguards
Technical Safeguards
- End-to-end TLS encryption for all data in transit
- AES-256 encryption for stored patient and booking data
- Role-based access controls limiting PHI exposure
- Automatic session timeouts on inactive accounts
- Audit logging of all PHI access events
Administrative Safeguards
- Designated Privacy & Security Officer
- Annual HIPAA training for all staff handling PHI
- Business Associate Agreements (BAA) with covered entities
- Documented incident response and breach notification procedures
- Regular risk assessments and policy reviews
Physical Safeguards
- Secure, access-controlled data center infrastructure
- No PHI stored on personal or unmanaged devices
- Workstation and device use policies
- Secure media disposal protocols
- Visitor and contractor access logging
For healthcare partners
Business Associate Agreement
We provide signed Business Associate Agreements to all covered entities and healthcare organizations as required by HIPAA. BAAs are provided at no cost and processed within 48 hours of request.
FAQ
Common questions
What is a Business Associate Agreement (BAA)?+
A BAA is a HIPAA-required contract between a covered entity (e.g., a hospital) and a business associate (BlackDrivo) that outlines our obligations to protect PHI. We provide BAAs to all qualifying healthcare partners at no additional cost.
What patient information does BlackDrivo handle?+
For medical transport bookings, we may handle the patient's name, contact details, pickup/drop-off addresses, and appointment information. We collect only what is necessary to fulfill the transportation request.
How do you handle a data breach?+
In the event of a breach involving PHI, we follow our documented incident response plan — including immediate containment, forensic investigation, and notification to affected covered entities within the HIPAA-required 60-day window.
Can our healthcare organization request a BAA?+
Yes. Contact our compliance team at compliance@blackdrivo.com and we will initiate the BAA process within 2 business days. BAAs are standard for all healthcare facility accounts.
Is your infrastructure HIPAA-certified?+
Our cloud infrastructure is hosted on HIPAA-eligible services with signed BAAs in place. We maintain documentation of all third-party BAAs as required by the HIPAA Security Rule.