HIPAA Compliance
Last updated: March 23, 2026
ClearCost is designed with a privacy-first, stateless architecture that minimizes HIPAA exposure by ensuring patient health information (PHI) never persists on our servers.
Architecture Overview
Stateless Eligibility Check Flow
When your practice verifies a patient's insurance benefits, the data flows like this:
Your Browser (PHI entered here)
→
ClearCost API (stateless proxy)
→
Payer / Stedi (270/271)
Payer Response
→
ClearCost API (passes through)
→
Your Browser (results displayed)
The ClearCost API acts as a stateless proxy. It forwards the eligibility request to the payer and returns the response. No PHI is logged, stored, or cached at any point in this process.
What We Do
PHI Never Touches Our Database
- Patient names, member IDs, dates of birth, and insurance details are processed entirely in your browser
- Our API endpoint proxies the request to the payer without storing any request or response data
- No PHI is written to our database, logs, or any persistent storage
- Saved quotes (with patient information) are stored in your browser's localStorage, not on our servers
Practice Data Isolation
- Each practice's data is isolated using PostgreSQL Row-Level Security (RLS) policies
- Users can only access data belonging to their own practice
- Admin and staff roles have appropriately scoped permissions
Secure Authentication
- JWT-based authentication with short-lived access tokens
- Automatic token refresh
- All API endpoints require valid authentication
Encryption
- All data in transit is encrypted via TLS (HTTPS)
- Database connections use SSL
- Supabase encrypts data at rest
What We Do NOT Do
- We do not store, cache, or log any PHI on our servers
- We do not maintain a patient database or patient records
- We do not transmit PHI to any third party except the payer being queried (via Stedi)
- We do not use patient data for analytics, marketing, or any secondary purpose
BAA Considerations
Because ClearCost's architecture is designed so that PHI is never persisted on our infrastructure, the HIPAA exposure profile is significantly reduced compared to systems that store patient data. Our stateless proxy architecture means:
- No PHI at rest on ClearCost infrastructure
- PHI in transit is limited to the duration of the API proxy call (typically under 3 seconds)
- The practice retains full control of all patient data in their browser
For practices requiring a Business Associate Agreement (BAA), please contact us at compliance@clearcost.app to discuss your requirements.
Your Responsibilities
As a covered entity, your practice is responsible for:
- Ensuring authorized use of the service by your staff
- Managing user access and removing former employees promptly
- Using the service on secure, practice-controlled devices
- Following your own HIPAA policies when handling the cost estimates and eligibility data displayed in your browser
Questions
For HIPAA-related questions or to request a BAA, contact us at compliance@clearcost.app.