HIPAA Compliance

1. Overview

EZVFC is designed for healthcare organizations that manage vaccine inventory and administration records. Because the Service may process Protected Health Information ("PHI"), we operate with safeguards intended to support HIPAA-regulated use cases.

When required, EZVFC enters into a Business Associate Agreement ("BAA") with covered entity customers. Our data handling practices are also described in our Privacy Policy.

2. Administrative Safeguards

• Role-based access controls aligned to user responsibilities.
• Audit logging for vaccine inventory, usage, and related workflow activity.
• Policies and processes for onboarding, access changes, and account revocation.
• Support procedures for responding to security and privacy questions from customers.

3. Technical Safeguards

• Encryption in transit for data sent between users and the Service.
• Encryption at rest for managed application data and supporting infrastructure.
• Authenticated access to protected workflows and account-level session controls.
• Logging and monitoring intended to help detect unauthorized access or anomalous activity.

4. Shared Responsibility

HIPAA compliance is a shared responsibility. EZVFC is responsible for the security of the Service itself, while each customer remains responsible for its own workforce training, minimum-necessary access decisions, device security, and lawful use of PHI.

• Customers should assign user roles carefully and remove access promptly when staff change.
• Customers are responsible for the accuracy of data entered into the Service.
• Customers should use their own policies to govern patient communications and record retention.

5. Incident Response

EZVFC maintains processes for investigating suspected security incidents and, when applicable, supporting breach notification obligations under the relevant agreement and applicable law.

6. Questions and Documentation

If you need a BAA, security questionnaire support, or additional compliance details, contact support@ezvfc.net.