Our Commitment to Privacy
Rehab-Atlas takes the protection of health-related information seriously. While Rehab-Atlas is an information and referral platform — not a covered entity under HIPAA (the Health Insurance Portability and Accountability Act) — we voluntarily align our data handling practices with HIPAA principles to provide the highest standard of privacy protection for our users.
Effective Date: March 2026
HIPAA and Rehab-Atlas
What Is HIPAA?
HIPAA is a United States federal law that establishes national standards for the protection of individually identifiable health information (Protected Health Information, or PHI). It applies primarily to healthcare providers, health plans, and healthcare clearinghouses ("covered entities") and their business associates.
Our Status
Rehab-Atlas is not a covered entity under HIPAA because:
- We do not provide medical treatment or clinical services.
- We do not process health insurance claims.
- We do not have access to your medical records.
However, because our users share sensitive information about substance use, mental health, and treatment needs, we treat all such information with the same level of care and protection that HIPAA demands.
How We Align with HIPAA Principles
Privacy Safeguards
| HIPAA Principle | How Rehab-Atlas Aligns |
|---|---|
| Minimum Necessary Standard | We collect only the information needed to match you with appropriate centers. We share only what is necessary for referral purposes. |
| Individual Rights | You can access, correct, or delete your personal data at any time by contacting us. |
| Notice of Privacy Practices | This page and our Privacy Policy clearly explain how we handle your information. |
| Consent | We forward your inquiry to rehabilitation centers only after administrative review. You choose which centers to contact. |
Technical Safeguards
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 (HTTPS) on all connections |
| Encryption at Rest | AES-256 encryption on database records |
| Access Controls | Role-based access (user, partner, admin) with session-based authentication |
| Audit Logging | Administrative actions are logged with timestamps |
| Secure Authentication | Passwords are hashed using bcrypt. Admin access requires elevated credentials. |
| Rate Limiting | API endpoints are rate-limited to prevent abuse |
| Input Validation | All user inputs are validated and sanitised |
Administrative Safeguards
- Staff Training: Our team is trained on privacy best practices and the importance of confidentiality.
- Access Limitation: Only authorised administrators can view inquiry details. Partner centers see only the information necessary for their response.
- Incident Response: We have procedures in place to identify, contain, and remediate any data breach or security incident.
- Vendor Due Diligence: Our infrastructure providers (Supabase, Vercel, Resend) maintain SOC 2 compliance and enterprise-grade security.
Physical Safeguards
- Our platform is hosted on cloud infrastructure (Vercel and Supabase) that maintains physical security certifications including SOC 2 Type II.
- We do not maintain physical servers or store data on local devices.
What Information We Handle
When you use Rehab-Atlas, you may share:
- Self-reported treatment preferences (not medical records)
- Contact information (name, email, phone)
- Assessment responses (substance type, severity self-assessment, budget, location)
We do not collect, store, or process:
- Medical records or clinical documentation
- Insurance claims or billing information
- Prescription or medication details
- Diagnosis codes (ICD-10, DSM-5, etc.)
- Biometric or genetic data
Data Handling Commitments
-
Confidential by Default: All inquiries and assessment data are treated as confidential. They are not publicly visible and are accessible only to authorised administrators.
-
No Data Sales: We never sell personal information to third parties.
-
Purpose Limitation: Your data is used solely for the purpose of connecting you with appropriate rehabilitation services and improving our platform.
-
Retention Limits: Inquiry data is retained for a maximum of 24 months. Assessment data is retained for 12 months. You may request earlier deletion at any time.
-
Breach Notification: In the unlikely event of a data breach affecting your information, we will notify you within 72 hours and take immediate steps to contain and remediate the incident.
For Rehabilitation Centers (Partners)
If you are a rehabilitation center listed on Rehab-Atlas:
- You are responsible for your own HIPAA compliance as a covered entity (if applicable).
- Information we forward to you (lead referrals) should be handled in accordance with your own privacy policies and HIPAA obligations.
- You agree not to use referral information for purposes other than responding to the specific inquiry.
Continuous Improvement
We regularly review and update our privacy and security practices. Our goal is to exceed — not merely meet — the expectations of individuals who trust us with sensitive information.
Questions
If you have questions about our privacy practices or HIPAA alignment:
Email: info@rehab-atlas.com Website: www.rehab-atlas.com/contact
Rehab-Atlas is committed to earning and maintaining your trust. Privacy is not a feature — it is a foundational principle of everything we build.