Carepassage

Data Processing Addendum

This DPA supplements the Business Associate Agreement between the TPA, acting as HIPAA Covered Entity, and Carepassage LLC, acting as Business Associate. It documents the operational practices and subprocessors Carepassage uses to process PHI on the TPA's behalf.

Subprocessors, security, and PHI minimization

Carepassage processes PHI only on the TPA's documented instructions to provide the medical-travel booking service. Subprocessors that receive PHI, such as the email delivery provider and the managed hosting and database provider, are covered by a Business Associate Agreement; the hotel-booking partner receives only consumer-reservation fields by design, a boundary enforced in server-side code.

Security measures include TLS in transit, AES-256-GCM encryption at rest for member communication bodies, an append-only audit log of every PHI-bearing read and write, and multi-tenant isolation on every authenticated route. Carepassage will not request, store, or transmit clinical content, and on termination will return or securely destroy PHI at the TPA's option.

Related