Skip to content
  • There are no suggestions because the search field is empty.
Get a Demo
  • There are no suggestions because the search field is empty.

HIPAA Compliance Support at Unily

Privacy Hub

Security Certifications  |  Security Measures  |  Privacy Notice  |  Cookie notice  |  Data protection addendum  |  SCC addendum  |  Sub-processors  |  HIPPA Compliance  |  Privacy FAQs

HIPAA Compliance Support at Unily

Unily has completed a dedicated HIPAA compliance exercise, working closely with specialist external legal advisers. This work has been independently validated through an external audit, which confirmed that the Unily platform aligns with the requirements of the HIPAA Security Rule and HIPAA Breach Notification Rule.

In brief, HIPAA (the Health Insurance Portability and Accountability Act) is a U.S. federal law that sets standards for safeguarding certain types of health‑related information, known as Protected Health Information (PHI), and for managing and reporting data breaches involving that information.

Why this matters

Certain Unily features can be configured by customers to surface or share information from their connected external systems, which may include health-related data. When customers choose to use these capabilities in regulated healthcare contexts, it is essential that the platform supports their security and compliance requirements.

For healthcare customers, trust in how sensitive information is protected is critical. This independently validated compliance work demonstrates Unily’s commitment to strong governance, robust security controls, and responsible data handling. Where HIPAA applies, customers can be confident that PHI is safeguarded in line with applicable regulatory and industry standards.

When HIPAA applies

HIPAA does not apply to all customers or all uses of the Unily platform. However, in scenarios where a customer is subject to HIPAA and chooses to process PHI via Unily, Unily operates as a Business Associate under HIPAA.

In this role, Unily processes PHI on behalf of customers (known as Covered Entities) and in accordance with their instructions, rather than independently determining how that data is used.


Examples of U.S. organizations that may be Covered Entities include:

  • Healthcare providers, such as hospitals, clinics, or healthcare networks

  • Health insurers or health plans, including organizations that provide or administer health insurance

  • U.S. public healthcare programs such as Medicare or Medicaid, and organizations that support them

Supporting HIPAA‑regulated use cases

Where HIPAA applies to a customer’s use of the platform, Unily makes a Business Associate Agreement (BAA) available for execution. The BAA sets out Unily’s responsibilities as a Business Associate and the safeguards in place to protect PHI.

To support transparency and customer confidence, customers may view and download the external auditor’s report verifying Unily’s HIPAA compliance in Universe. Customers and prospective customers can use this information, alongside the BAA and supporting guidance, as part of their due diligence and vendor assessment processes.

To the extent that the contracting Unily entity transfers any Personal Data to a sub-processor (including any Unily Affiliates) that processes personal data outside the UK or EEA (except if in an adequate country), such transfers are outside of the scope of the SCC Addendum. For these purposes, Unily will be deemed the ‘data exporter’ and has therefore entered into applicable standard contractual clauses with any relevant sub-processors.

Questions

If you have questions about HIPAA, Business Associate Agreements, or how Unily supports regulated healthcare use cases, please contact privacy@unily.com.