HIPAA Compliance

Last updated: March 2026

Our Commitment to HIPAA Compliance

CME Agent is designed with healthcare data privacy and security at its core. While CME tracking data may not always constitute Protected Health Information (PHI) under HIPAA, we treat all physician data with the same level of care and security required by HIPAA regulations. Our platform is built to meet the standards of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.

How We Handle Protected Health Information

CME Agent processes the following types of data that may be considered PHI in certain contexts:

• Physician Identifiers: Names, email addresses, and professional license numbers linked to CME activity records.
• CME Certificates: Scanned certificates that may contain personal and professional identifiers.
• Compliance Records: State-specific CME completion data tied to individual physician profiles.

We apply the minimum necessary standard: our systems only access and process the minimum amount of data required to provide our CME tracking services.

Infrastructure and Encryption

CME Agent uses Supabase as our primary database and backend infrastructure. Supabase provides enterprise-grade security features:

• Encryption at Rest: All data stored in our Supabase PostgreSQL database is encrypted using AES-256 encryption. This means your data is protected even if physical storage media were to be compromised.
• Encryption in Transit: All data transmitted between your device and our servers is protected by TLS 1.2+ encryption. API calls, file uploads (including certificate scans), and all other communications are encrypted end-to-end.
• Row Level Security (RLS): Supabase's row-level security ensures that users can only access their own data. Even in the event of an application-level vulnerability, database-level policies prevent unauthorized data access.
• Automated Backups: Regular encrypted backups ensure data durability and enable recovery in case of incidents.

Data Handling Practices

Our data handling practices are designed to minimize risk and maximize security:

• Access Controls: Role-based access control (RBAC) limits data access to authorized personnel only. Our team members undergo background checks and HIPAA awareness training.
• Audit Logging: All access to sensitive data is logged and monitored. Audit trails are maintained to track who accessed what data and when.
• Data Minimization: We only collect and retain data that is necessary for providing our services. Certificate images are processed for data extraction and can be deleted after processing at your request.
• Secure Development: Our development practices include security code reviews, dependency scanning, and regular penetration testing.
• Incident Response: We maintain an incident response plan that includes breach notification procedures in compliance with HIPAA requirements (notification within 60 days of discovery).

Business Associate Agreements (BAA)

For individual physician accounts, our standard Terms of Service and Privacy Policy govern data handling. If you are an individual practitioner who requires a BAA, please reach out to discuss available options.

Third-Party Compliance

Our key infrastructure partners maintain their own compliance certifications:

• Supabase: SOC 2 Type II certified, with data centers in secure, access-controlled facilities.
• Hosting: Our application is hosted on infrastructure that maintains SOC 2 compliance and provides DDoS protection, WAF, and edge security.

Your Rights and Questions

You have the right to:

• Request access to all data we hold about you.
• Request deletion of your data (subject to legal retention requirements).
• Receive notification of any data breach affecting your information.
• File a complaint if you believe your privacy rights have been violated.

For questions about our HIPAA compliance practices, data security, or to request a BAA, contact us at:

support@cmeagent.com