Carepassage

Built for healthcare. Built for trust.

Carepassage is a Business Associate of every TPA it works with. We sign your BAA, collect only what is needed to book travel and assemble a claim, and handle PHI like PHI, not like a guest reservation.

Three commitments we make on member data

You are the Covered Entity and we are the Business Associate. Onboarding does not move to live members until your BAA is in place.

Why we sign a BAA when a consumer travel site will not

When an operator books on a consumer site, that site only sees a guest name, dates, a hotel, and a card, not the plan, the member ID, or the date of service. In their hands it is an ordinary reservation, not PHI.

Carepassage is different because we hold the linkage: the booking sits next to the date of service and the plan member ID, which is what lets us deliver branded itineraries, claim packets, and per-plan reporting. The cost is that we are a Business Associate, and we limit what flows to our hotel-booking partner to the same fields a consumer site would see.

Common questions

Are you SOC 2 or HITRUST certified?

Not yet. This page describes operational practice today, not certifications we do not hold. SOC 2 Type I is on the roadmap as we scale. We are transparent about what we do and do not claim so your compliance team can evaluate honestly.

What does a hotel partner actually see?

Only the fields equivalent to a regular consumer reservation: guest name, dates, room type, and a payment token. No procedure, no member ID, no plan, and no facility identifier flagged as medical. Free-text remarks are sanitized server-side before any vendor call.

How do we start a BAA review?

Send us your BAA template and we counter-sign before any live member data flows. Our Data Processing Addendum is published so your compliance officer can review subprocessors and security measures up front.

Related