DRAFT — DO NOT PUBLISH. Certification claims on this page are unverified placeholders. Niral V. Merchant must confirm in writing that BridgeMed Health has achieved the named certifications before this page is published to a production domain. — Veydros Consulting
Health Insurance Portability and Accountability Act (United States)
Although BridgeMed Health is a Canadian company, our platform is built to meet HIPAA standards [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED] — enabling us to serve plan members and work with partners that operate under U.S. health privacy requirements.
For U.S. partner organizations, reinsurers, or plan sponsors that require contractual commitments under the HIPAA framework, BridgeMed Health offers a standard Business Associate Agreement and a control mapping that demonstrates how our existing Canadian compliance posture satisfies the U.S. statutory requirements.
BridgeMed Health is owned, operated, and headquartered in Canada, with all clinical infrastructure resident in Canadian data centres. Our primary regulatory frameworks are PHIPA (in Ontario) and PIPEDA (federally). HIPAA is not a statutory obligation for a Canadian-only engagement.
The reality of modern enterprise disability management, however, is that many of our partner insurers, third-party administrators, and reinsurers operate across borders. Plan administrators on our platform may have parent companies in the United States. Reinsurance contracts may require U.S.-resident audit. Cross-border claims occasionally bring U.S. plan members or U.S. employer plans into scope.
To remove friction from those engagements, we have built the BridgeMed Health platform to HIPAA standards. That means our administrative, physical, and technical safeguards meet the requirements of the HIPAA Security Rule, and our operational practices meet the requirements of the HIPAA Privacy Rule, in addition to satisfying our Canadian obligations. Where a U.S. partner relationship requires a formal Business Associate Agreement, we are positioned to execute one.
Protected Health Information (PHI) is handled with the same rigour as required under U.S. law. Our administrative, physical, and technical safeguards are mapped against the HIPAA Security Rule control families, and our policies are mapped against the HIPAA Privacy Rule.
Business Associate Agreements are available for U.S.-based partner organizations that require one in order to share PHI with BridgeMed Health. BAA requests can be initiated by writing to info@veydros.com.
Encrypted transmission and storage of all health data, regardless of jurisdiction. AES-256 at rest, TLS 1.2/1.3 in transit, and end-to-end encryption for video consultations. Full controls inventory on Platform Security.
For partners that need to satisfy multiple jurisdictions in a single agreement, BridgeMed Health’s control framework maps cleanly across the three primary statutes. The table below shows how each HIPAA control family corresponds to the Canadian equivalents we already meet.
| HIPAA control family | Canadian equivalent | BridgeMed Health practice |
|---|---|---|
| Administrative safeguards | PHIPA s. 12 & PIPEDA Principle 1 (Accountability) | Designated privacy officer, documented policies, annual workforce training |
| Physical safeguards | PHIPA s. 12(1) & PIPEDA Principle 7 (Safeguards) | Canadian-resident data centres, access-controlled facilities, device management |
| Technical safeguards | PHIPA s. 13 & PIPEDA Principle 7 (Safeguards) | AES-256 at rest, TLS 1.2/1.3 in transit, MFA, role-based access, audit logging |
| Privacy Rule (use & disclosure) | PHIPA s. 29–36 & PIPEDA Principles 2, 3, 5 | Consent-based collection, purpose limitation, minimum-necessary disclosure |
| Breach Notification Rule | PHIPA s. 12(3) & PIPEDA s. 10.1 | Documented breach response, IPC and OPC reporting where required |
This mapping is provided for orientation. It is not a legal opinion, and partner organizations should retain their own counsel for binding cross-border determinations. [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]
The HIPAA Security Rule organizes its requirements into three categories — administrative, physical, and technical safeguards. BridgeMed Health implements each category against the same control set that supports our SOC 2 Type II attestation, with two operational refinements specific to U.S. partner engagements: PHI-specific access logging that meets the HIPAA audit trail expectations, and PHI-specific incident response classifications that align with the HHS breach-reporting thresholds.
The Privacy Rule governs how PHI can be used and disclosed. BridgeMed Health treats every disclosure as either treatment, payment, or healthcare operations — the three permitted purposes — or as authorised by the plan member through a signed authorization that meets the HIPAA content requirements. We do not use PHI for marketing, do not sell PHI, and do not disclose PHI to third parties outside the boundaries documented at intake.
The Breach Notification Rule sets out what we do if something goes wrong. Our incident response procedure (see Platform Security) includes the HIPAA-specific notification timelines: notification to affected individuals within sixty days of discovery, notification to HHS for breaches affecting fewer than 500 individuals on an annual basis, and immediate notification to HHS and prominent media outlets for breaches affecting 500 or more individuals in a single jurisdiction. [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]
U.S.-based partner organizations that require a Business Associate Agreement to share PHI with BridgeMed Health may initiate the request by writing to our security and privacy team. A standard BAA template is available; modifications are reviewed on a case-by-case basis.
