1. HIPAA Compliance Overview
Paws Source, Inc. ("we," "our," or "us") operates as a hybrid entity under the Health Insurance Portability and Accountability Act (HIPAA). As a provider of veterinary telehealth services, pet health insurance coordination, and digital health records management, we are bound by strict federal regulations designed to protect the confidentiality, integrity, and availability of protected health information (PHI).
This document outlines our comprehensive approach to HIPAA compliance, including our administrative, physical, and technical safeguards, as well as the rights afforded to pet owners under federal law.
Administrative Safeguards
Workforce training, risk assessments, security management processes, and sanctions policies.
Physical Safeguards
Facility access controls, workstation security, device management, and environmental protection.
Technical Safeguards
Access controls, audit controls, encryption, integrity controls, and transmission security.
This HIPAA compliance statement applies to Paws Source's telehealth consultations, veterinary health records, insurance coordination services, and any other services where protected health information is collected, used, or disclosed.
2. Our Commitment to Privacy
At Paws Source, we understand that the health information of your pet โ and by extension, the personal information associated with it โ is deeply private. We are committed to:
- Maintaining the confidentiality of all protected health information (PHI) in electronic, physical, and oral forms.
- Providing notice of our legal duties and privacy practices with respect to PHI.
- Implementing appropriate safeguards to protect the privacy and security of PHI.
- Responding promptly to requests for access to PHI and to complaints regarding privacy practices.
- Conducting regular risk assessments and audits to ensure ongoing compliance with HIPAA regulations.
- Training all workforce members on HIPAA requirements and our internal privacy policies.
Paws Source has been independently audited and certified for HIPAA compliance by a third-party auditor. Our most recent certification was issued in January 2025, with the next scheduled audit in January 2026.
3. Information We Protect
Under HIPAA, we classify and protect the following categories of information as Protected Health Information (PHI):
| Category | Examples | Protection Level |
|---|---|---|
| Demographic Data | Pet name, breed, age, weight, microchip ID | Encrypted at Rest |
| Medical Records | Diagnosis, treatment plans, vaccination history, lab results | Encrypted at Rest & Transit |
| Consultation Records | Video consult recordings, chat transcripts, voice notes | Encrypted at Rest & Transit |
| Insurance Information | Policy numbers, claim history, pre-authorization data | Encrypted at Rest |
| Owner Personal Data | Name, address, phone, email, payment information | Encrypted at Rest & Transit |
| Prescription Records | Medication details, dosages, refills, veterinarian prescriptions | Encrypted at Rest & Transit |
4. Safeguards & Security Measures
We implement a comprehensive framework of safeguards designed to protect PHI against unauthorized access, use, or disclosure.
4.1 Administrative Safeguards
- Risk Analysis & Management: We conduct annual risk assessments of all systems that store, process, or transmit PHI. Identified risks are addressed through a documented remediation plan.
- Workforce Security: All employees, contractors, and affiliated veterinarians undergo background checks and must complete HIPAA training annually. Access to PHI is granted on a need-to-know basis.
- Contingency Planning: We maintain comprehensive disaster recovery and emergency mode operation plans, with data backed up in geographically redundant, encrypted facilities.
- Compliance Monitoring: Our Compliance Officer conducts quarterly audits of PHI access logs, user activity, and security configurations.
- Business Associate Agreements: All third-party vendors with access to PHI are required to sign Business Associate Agreements (BAAs) compliant with 45 CFR ยง164.502(e).
4.2 Physical Safeguards
- Facility Access Controls: Our data centers and offices utilize multi-factor authentication, biometric scanners, and 24/7 surveillance.
- Workstation Security: All workstations handling PHI auto-lock after 5 minutes of inactivity and require re-authentication.
- Device & Media Controls: All devices containing PHI are encrypted using AES-256. Media disposal follows NIST SP 800-88 guidelines for secure data sanitization.
4.3 Technical Safeguards
- Access Controls: Unique user identification, automatic logoff, and role-based access control (RBAC) ensure only authorized personnel can access PHI.
- Audit Controls: Comprehensive logging of all access, modifications, and transmissions of PHI. Logs are retained for a minimum of six years.
- Integrity Controls: PHI is protected by digital signatures and hash verification to detect and prevent unauthorized alterations.
- Transmission Security: All data transmitted electronically is encrypted using TLS 1.3 or higher. End-to-end encryption is used for telehealth video consultations.
- Encryption Standards: Data at rest is encrypted using AES-256. Keys are managed through a Hardware Security Module (HSM) with automatic key rotation every 90 days.
When Paws Source integrates with third-party veterinary lab services, insurance providers, or pharmacy systems, all data exchanges are conducted through secure, encrypted API channels with end-to-end encryption and mutual TLS authentication.
5. Your Rights Under HIPAA
As a pet owner and primary contact for PHI held by Paws Source, you have the following rights:
You have the right to inspect and obtain a copy of your pet's PHI maintained by Paws Source, including medical records, consultation transcripts, and prescription histories. Requests should be submitted in writing to our Privacy Officer. We will respond within 30 days of receiving your request, with a possible 30-day extension if notified in writing. A reasonable, cost-based fee may be charged for copying and mailing services.
If you believe PHI we hold about your pet is incomplete or inaccurate, you may request an amendment. Your request must be made in writing and include a reason supporting the proposed amendment. We will act on your request within 60 days. If we deny your request, you will receive a written explanation and have the right to submit a statement of disagreement.
You have the right to request a list of certain disclosures we have made of your pet's PHI. This accounting will include the date of disclosure, the name of the entity or person to whom the disclosure was made, a brief description of the PHI disclosed, and the reason for the disclosure. This does not include disclosures made for treatment, payment, healthcare operations, or disclosures authorized by you.
You may request restrictions on how we use or disclose PHI for treatment, payment, or healthcare operations. While we are not always required to agree to a requested restriction, we will consider all requests on a case-by-case basis. We are required to agree if the restriction relates to a disclosure to a health plan for payment or operations, and the PHI concerns an item or service for which you (or someone on your behalf) has paid us in full out of pocket.
You have the right to request that we communicate with you about PHI in a specific manner or at a specific location. For example, you may request that consultation summaries be sent only to your email address rather than your home address. We will accommodate reasonable requests.
You may request a paper copy of this Notice of Privacy Practices at any time, even if you have previously agreed to receive the notice electronically. Simply contact our Privacy Office, and we will mail a copy to you within 30 days.
6. Notice of Privacy Practices
This Notice of Privacy Practices describes how Paws Source may use and disclose your pet's protected health information. Please review it carefully.
6.1 Uses and Disclosures for Treatment
We may use and disclose PHI for treatment purposes to ensure your pet receives appropriate veterinary care. This includes:
- Sharing medical history with consulting veterinarians
- Coordinating care between multiple veterinary professionals
- Consulting with veterinary specialists for second opinions
6.2 Uses and Disclosures for Payment
We may use and disclose PHI to obtain payment for veterinary services. This includes:
- Submitting claims to pet insurance providers
- Processing billing and collection activities
- Eligibility verification for insurance coverage
6.3 Uses and Disclosures for Healthcare Operations
We may use and disclose PHI to support the operational functions of Paws Source, including:
- Quality assessment and improvement activities
- Review of veterinary practices for professional evaluation
- Training of veterinary students and resident programs
- Business planning and development
- Healthcare outcome and improvement initiatives
6.4 Other Uses and Disclosures
With your written authorization, we may use or disclose PHI for purposes not covered above. You may revoke your authorization at any time in writing, though revocation will not apply to disclosures already made.
We may also disclose PHI as required by law, for public health activities, for health oversight activities, for judicial and administrative proceedings, and in situations involving a serious threat to health or safety.
For any use or disclosure of PHI not described in this Notice, Paws Source will obtain your written authorization before proceeding. You have the right to revoke this authorization at any time by notifying our Privacy Officer in writing.
7. Data Breach Response Policy
In the unlikely event of a data breach involving PHI, Paws Source has established a comprehensive incident response plan compliant with the HIPAA Breach Notification Rule (45 CFR ยง164.404-414).
7.1 Breach Detection & Containment
Our Security Operations Center (SOC) monitors systems 24/7 for suspicious activity. Upon detection of a potential breach, our incident response team will:
- Immediately isolate affected systems to contain the breach
- Initiate forensic investigation to determine the scope and nature of the breach
- Preserve all evidence for potential law enforcement involvement
- Assess whether the unsecured PHI poses a risk of compromise
7.2 Notification Requirements
In the event of a confirmed breach, we will provide notification in accordance with the following timelines:
- Individual Notification: Within 60 days of discovering the breach, via first-class mail (or email if previously agreed to receive electronic notice)
- HHS Notification: Within 60 days for breaches affecting fewer than 500 individuals; without unreasonable delay (and in no case later than 60 days) for breaches affecting 500 or more individuals
- Media Notification: For breaches affecting 500 or more residents of a state or jurisdiction, we will issue a prominent media notice
7.3 Breach Mitigation
Following a breach, we will:
- Provide affected individuals with information about steps they can take to protect themselves
- Implement additional security measures to prevent recurrence
- Conduct a post-incident review and update our security protocols accordingly
- Provide complimentary credit monitoring and identity theft protection services where applicable
Since our founding in 2019, Paws Source has maintained a zero-incident record for data breaches involving PHI. Our security infrastructure and protocols have been continuously strengthened to maintain this track record.
8. How to File a Complaint
If you believe your privacy rights have been violated, or if you have questions about our privacy practices, you may file a complaint with us or with the U.S. Department of Health and Human Services.
8.1 Complaints to Paws Source
To file a complaint with Paws Source, please contact our Privacy Officer through any of the following methods:
- Mail: Paws Source Privacy Officer, 123 Pet Wellness Drive, Suite 400, Austin, TX 78701
- Email: privacy@pawssource.com
- Phone: 1-800-PAWS-HIPAA (1-800-729-7447)
- Online Form: Use the form below to submit a complaint electronically
8.2 Complaints to HHS
You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:
- Online: www.hhs.gov/ocr/privacy/hipaa/complaints/
- Phone: 1-800-368-1019
- Mail: U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington, D.C. 20201
Paws Source will not retaliate against you for filing a complaint. All complaints will be investigated promptly and thoroughly. We will respond to your complaint within 30 days.
Submit a Privacy Complaint
Please use this form to submit any privacy-related concerns or complaints. All submissions are confidential.
9. Contact Our Privacy Office
If you have any questions about this HIPAA Compliance statement, our privacy practices, or your rights under HIPAA, please don't hesitate to contact our dedicated Privacy Office.
| Contact Method | Details | Hours |
|---|---|---|
| Phone | 1-800-PAWS-HIPAA (1-800-729-7447) | MonโFri, 8:00 AM โ 6:00 PM EST |
| privacy@pawssource.com | 24/7 (Response within 24 hours) | |
| Paws Source Privacy Officer 123 Pet Wellness Drive, Suite 400 Austin, TX 78701 |
โ | |
| Fax | 512-555-0199 | MonโFri, 8:00 AM โ 6:00 PM EST |
| Live Chat | Available on our website | MonโSat, 9:00 AM โ 9:00 PM EST |
All communication channels listed above are monitored by our Privacy Office team. For maximum security, we recommend using our encrypted email portal or the secure online complaint form for inquiries containing sensitive PHI.
Paws Source reserves the right to change this HIPAA Compliance statement at any time. Any changes will be posted on this page with an updated "Last Updated" date. Your continued use of our services constitutes acceptance of any changes.