Legal
HIPAA Compliance
Last Updated: February 18, 2026
Movement Atlas is committed to protecting the privacy and security of health-related information when our platform is used by healthcare-adjacent movement businesses such as physical therapy studios, rehabilitation centers, and wellness clinics. This HIPAA Statement outlines our compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Our Commitment
Movement Atlas has implemented administrative, physical, and technical safeguards to protect any Protected Health Information ("PHI") that may be processed through our platform. Our security practices are designed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Business Associate Agreement
For Covered Entities (healthcare providers, health plans, or healthcare clearinghouses) that use Movement Atlas services and provide PHI, we offer a Business Associate Agreement ("BAA") that supplements the Master Service Agreement. Key provisions include:
- Use and Disclosure: Movement Atlas will not use or disclose PHI other than as permitted by the BAA or as required by law. We will not use PHI for marketing or fundraising purposes.
- Safeguards: We implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI.
- Breach Notification: Movement Atlas will report any breach of unsecured PHI to the Covered Entity within 30 business days of discovery.
- Subcontractors: Any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions that apply to Movement Atlas.
- Minimum Necessary: We request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose.
Security Measures
Movement Atlas employs the following security measures in compliance with HIPAA requirements:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls with multi-factor authentication
- Regular security audits and vulnerability assessments
- Employee training on HIPAA compliance and data handling
- Incident response procedures for security events
- Comprehensive audit logging of all PHI access
- Business continuity and disaster recovery plans
Data Subject Rights
Individuals have the right to:
- Request access to their PHI maintained by Movement Atlas
- Request amendments to their PHI
- Request an accounting of disclosures of their PHI
- Request restrictions on certain uses and disclosures of their PHI
- Receive confidential communications of their PHI
Termination and Data Handling
Upon termination of a BAA, Movement Atlas will return or destroy all PHI received from or created on behalf of the Covered Entity. If return or destruction is not feasible, protections will be extended to the retained information indefinitely.
Contact Us
For questions about our HIPAA compliance, to request a BAA, or to report a potential HIPAA concern, please contact us at [email protected] or visit our Contact page.