HIPAA

When a US practitioner or practice uses AcuClient to store or process PHI, Effect Wellness Inc. acts as a business associate of that covered entity. You, the practitioner or practice, remain the covered entity and the data controller; we handle PHI only as instructed and only to provide the service.

A Business Associate Agreement is in place with our primary data processor, Supabase. This covers hosting, authentication, and storage of PHI at the infrastructure layer.

A BAA between Effect Wellness Inc. and your practice is available on paid plans. Contact privacy@effectwellness.com to request one before entering PHI into the service.

AcuClient is designed to support the administrative, physical, and technical safeguards required by the HIPAA Security Rule:

• Administrative. Documented policies, workforce training, incident-response procedures, and vendor due-diligence for all sub-processors.
• Physical. PHI is stored in Supabase-operated data centers that maintain SOC 2 Type II certification and appropriate physical-access controls.
• Technical. Unique user IDs, automatic session timeout, AES-256 encryption at rest, TLS 1.2+ in transit, role-based access, and audit logging (see “Audit logs” below).

Access controls in AcuClient allow practice owners to limit team members to the minimum PHI they need to perform their role. Clients can view their own records through the client portal and request export or amendment through their practitioner. We process PHI only as directed by you and do not use it for advertising, marketing, or model training.

The product is designed to log access to, modification of, and export of PHI, with user, timestamp, and action recorded. An end-to-end audit-log write path is being finalized as part of the launch release and will be enabled in regulated deployments before PHI is accepted at scale.

If Effect Wellness Inc. discovers a breach of unsecured PHI affecting your practice's data, we will notify you without unreasonable delay and in any event within the timeframe required by our BAA, providing the information you need to meet your own notification obligations to affected individuals, the Department of Health and Human Services, and, where applicable, the media. Internal reporting and investigation procedures are documented.

AcuClient is currently hosted in the United States (Oregon). Canadian-region hosting is planned for a future platform upgrade. US-based practitioners whose obligations require US data residency are supported by the current region.

• Entering into a BAA with Effect Wellness Inc. before storing PHI in AcuClient.
• Configuring role-based access so team members only see the PHI they need.
• Obtaining any authorizations your use of the service requires (for example, for telehealth or communications).
• Reporting suspected incidents affecting your PHI to us promptly.
• Meeting your own covered-entity obligations under HIPAA, including Notice of Privacy Practices and patient-rights workflows.

See the Privacy Policy, Security, and Compliance overview.