HIPAA Compliance

PKGSEND handles sensitive client and patient information as part of our delivery and logistics services. We are committed to protecting that information in accordance with the Health Insurance Portability and Accountability Act ("HIPAA"), including the Privacy, Security, and Breach Notification Rules.

This page describes how we protect client data handled during our delivery and logistics operations. For information about the pkgsend.com website itself, see our Privacy Policy and Terms of Service.

1. Our Role as a Business Associate

When we deliver prescriptions or handle materials on behalf of pharmacies, healthcare providers, and other Covered Entities, PKGSEND acts as a Business Associate under HIPAA. We enter into a Business Associate Agreement (BAA) with our clients that defines our obligations for protecting Protected Health Information ("PHI") that we receive, transport, or otherwise handle.

2. What Information This Covers

This commitment applies to PHI we may access or handle in the course of providing services, which can include:

Patient names and delivery addresses;
Prescription and package labeling associated with a patient;
Proof-of-delivery records such as signatures and photos; and
Any other client or patient information shared with us to perform a delivery.

3. Administrative Safeguards

Documented privacy and security policies governing how PHI is handled;
Workforce and driver training on HIPAA obligations and proper handling of PHI;
Role-based access so that personnel only access the information needed to perform their duties; and
A designated point of contact responsible for privacy and security matters.

4. Physical Safeguards

Secure handling and chain-of-custody procedures from pickup to delivery;
Controlled access to facilities and to any physical materials containing PHI; and
Verified handoffs with signature and/or photo confirmation at the point of delivery.

5. Technical Safeguards

Encryption of PHI in transit and at rest within our platform;
Unique user accounts, authentication, and access controls;
Audit logging of access to systems that contain PHI; and
Ongoing monitoring and security maintenance of our systems.

6. Minimum Necessary

We follow the "minimum necessary" principle, limiting the use, access, and disclosure of PHI to what is reasonably required to complete a delivery or provide the agreed-upon service.

7. Subcontractors

Where we engage subcontractors who may handle PHI on our behalf, we require them to agree in writing to safeguards at least as protective as those described here, consistent with HIPAA.

8. Breach Notification

If a breach of unsecured PHI occurs, we will investigate, mitigate to the extent practicable, and notify the affected Covered Entity in accordance with HIPAA's Breach Notification Rule and the terms of the applicable BAA.

9. Requesting a Business Associate Agreement

Covered Entities that work with PKGSEND can request a Business Associate Agreement before sharing PHI. To request a BAA or ask questions about our HIPAA practices, contact us at hello@pkgsend.com.

This page is provided for general informational purposes and does not constitute legal advice. The specific obligations between PKGSEND and a client are governed by the executed Business Associate Agreement and service contract.