HIPAA Compliance
Last updated: March 23, 2026
CareCost is designed with a privacy-first architecture that keeps patient health information (PHI) processing in the browser. Pricing inputs — drug selection, plan type, deductible, copay, and coinsurance — are entered and calculated locally and only leave your device if you choose to save an estimate.
Architecture Overview
Estimate Calculation Flow
When your practice runs a cost estimate, data flows like this:
Your Browser (inputs entered here)
→
Client-side JavaScript (runs the math)
→
Browser (results displayed)
Drug pricing reference data (CMS ASP, HCPCS, ICD-10, assistance programs) is downloaded once per session and cached client-side. No patient information is transmitted to CareCost servers unless you explicitly save an estimate to your practice's account.
What We Do
PHI Never Touches Our Database
- Patient names, member IDs, dates of birth, and insurance details are processed entirely in your browser
- Our API endpoint proxies the request to the payer without storing any request or response data
- No PHI is written to our database, logs, or any persistent storage
- Saved quotes (with patient information) are stored in your browser's localStorage, not on our servers
Practice Data Isolation
- Each practice's data is isolated using PostgreSQL Row-Level Security (RLS) policies
- Users can only access data belonging to their own practice
- Admin and staff roles have appropriately scoped permissions
Secure Authentication
- JWT-based authentication with short-lived access tokens
- Automatic token refresh
- All API endpoints require valid authentication
Encryption
- All data in transit is encrypted via TLS (HTTPS)
- Database connections use SSL
- Supabase encrypts data at rest
What We Do NOT Do
- We do not store, cache, or log any PHI on our servers
- We do not maintain a patient database or patient records
- We do not transmit PHI to any third party
- We do not use patient data for analytics, marketing, or any secondary purpose
BAA Considerations
Because CareCost's estimate calculations run client-side and patient-identifying fields are optional for estimate generation, the HIPAA exposure profile is significantly reduced compared to systems that require patient data to function. Our architecture means:
- Estimate math runs in the browser — pricing inputs do not leave the device
- Saved estimates are stored under the practice's account; patient identifiers on a saved estimate are optional
- The practice controls what, if any, patient-identifying information is entered or saved
For practices requiring a Business Associate Agreement (BAA), please contact us at legal@carecostestimate.com to discuss your requirements.
Your Responsibilities
As a covered entity, your practice is responsible for:
- Ensuring authorized use of the service by your staff
- Managing user access and removing former employees promptly
- Using the service on secure, practice-controlled devices
- Following your own HIPAA policies when handling the cost estimates and eligibility data displayed in your browser
Questions
For HIPAA-related questions or to request a BAA, contact us at legal@carecostestimate.com.