How we support United States healthcare providers under HIPAA, including our Business Associate Agreement.
Last updated: 11 June 2026
This page applies to US healthcare providers subject to HIPAA. If you are located outside the United States, see our Privacy Policy.
How HIPAA Applies
Where your Clinic is a โcovered entityโ (or a business associate of one) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Protected Health Information (PHI) that you store in Nookal is handled by Nookal as your business associate. You remain responsible for using the Services in a manner that meets the requirements of HIPAA, as updated by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Final Rule.
Business Associate Agreement (BAA)
Our subscription agreement is subject to the terms of a Business Associate Agreement as required by HIPAA, executed by the parties at the time of subscription (see the Regional Terms clause of our Subscription Terms ). Under the BAA:
- Permitted use: we use and disclose PHI only to provide the Services, as permitted by the BAA, or as required by law;
- Safeguards: we apply the administrative, technical and physical safeguards described on our Security & Compliance page, including encryption in transit and at rest;
- Sub-contractors: sub-processors that handle PHI are bound by written obligations no less protective than the BAA โ see our Sub-processors page;
- Breach notification: we notify you of any breach of unsecured PHI as required by the HIPAA Breach Notification Rule;
- Individual rights: we assist you, as the covered entity, to meet your obligations regarding access, amendment and accounting of disclosures of PHI;
- Return or destruction: at the end of the Services, PHI is returned or destroyed in accordance with the BAA.
To request or execute the current version of the BAA, please contact privacy@nookal.com.
Independent Verification
Nookal is SOC 2 Type 2 certified and HIPAA attested by an independent assessor. Reports are available on request โ see our Security Reports page.
Your Obligations
As a covered entity (or business associate of one), you remain responsible for your own HIPAA compliance, including:
- training workforce members on HIPAA policies and procedures;
- maintaining and enforcing your own privacy and security policies;
- executing BAAs with all your own business associates;
- conducting and documenting risk assessments;
- implementing access controls and minimum necessary standards;
- notifying affected individuals and HHS in the event of a breach.
Handling PHI in Nookal
PHI must only be handled within the secure Nookal platform. In particular:
- do not submit PHI via public forms, email, chat or other unsecured channels โ always use the platform;
- access to records and features that may contain PHI is controlled by role-based permissions and captured in a full audit trail;
- Nookal does not deploy third-party advertising trackers in authenticated areas of the platform.
Questions? Contact privacy@nookal.com for privacy and compliance enquiries, or support@nookal.com for product support.