HIPAA & Healthcare Privacy

Our position on healthcare data, privacy standards, and BAA readiness.

Last updated: April 2026

Important: CAPA Resolve does not currently claim full HIPAA compliance. The statements on this page describe our design principles and approach. Any specific healthcare workflow, PHI handling arrangement, or business associate agreement is subject to executed written agreements and must be scoped, reviewed, and confirmed before any such data is processed. Do not assume HIPAA compliance or a BAA relationship exists without an executed agreement.

Overview

This page is intended for healthcare organisations, vendors, and counterparties who may be evaluating CAPA Resolve in connection with healthcare-adjacent workflows, including cases involving medical billing disputes, insurance complaints, or other matters where protected health information (PHI) may be involved.

CAPA Resolve is primarily a consumer dispute-resolution and case-support platform. It is not designed or certified as a healthcare platform. However, we recognise that some dispute types may involve healthcare-related information, and we are building the platform with privacy and controlled-access principles that are broadly consistent with responsible data handling in sensitive domains.

Our design approach

Regardless of the specific regulatory framework that applies, CAPA is being built with the following principles that are relevant to sensitive data handling:

  • Minimum necessary access: data is accessible only to those with a specific, defined need
  • User-controlled disclosure: users determine what information is shared and with whom
  • Audit logging: access events are logged and reviewable
  • Encryption in transit: all data transmitted to and from the platform is encrypted using current standards
  • Separation of environments: production data is isolated from development and testing environments

These principles align with the spirit of privacy-protective frameworks, but they do not by themselves constitute HIPAA compliance or a BAA arrangement.

PHI and HIPAA coverage

HIPAA compliance and the obligations it creates are scope-specific. Whether CAPA Resolve is acting as a Business Associate under HIPAA depends on the specific nature of the workflow, the type of information involved, and the contractual arrangements in place.

We do not currently have a standard HIPAA Business Associate Agreement (BAA) in place with all users, and we do not represent this website or the general platform as HIPAA-compliant for all use cases. Any healthcare organisation that requires a BAA before sharing PHI with CAPA must contact us before doing so. PHI should not be submitted to CAPA without a confirmed, executed BAA for the specific workflow in question.

Healthcare dispute support

CAPA's core use cases include helping individuals navigate billing disputes, insurance claim denials, and similar matters. In consumer contexts, individuals may lawfully manage their own healthcare information and share it selectively to support their own dispute. CAPA's tools are designed to support this individual-directed use case while minimising unnecessary data collection and exposure.

For workflows involving healthcare providers, insurers, or other covered entities acting on behalf of patients, different obligations apply. Please contact us before configuring any such workflow.

BAA enquiries

If your organisation requires a Business Associate Agreement, has questions about CAPA's capabilities in a healthcare context, or wants to discuss a specific use case, please get in touch:

We are happy to discuss specific scenarios and the appropriate scope, configuration, and agreement structure for healthcare-adjacent use cases.

Related policies