HIPAA Compliance

1. Overview

QRZone provides QR code infrastructure that can be configured to operate within HIPAA-regulated environments. While QR codes themselves do not store Protected Health Information (PHI), the destinations they link to and the scan metadata collected may fall under HIPAA requirements.

2. Business Associate Agreement

QRZone offers a Business Associate Agreement (BAA) to healthcare customers on Enterprise plans. The BAA defines our obligations as a business associate, including data handling, breach notification, and security safeguards. Contact sales@qrzone.io to request a BAA.

3. Technical Safeguards

Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Access Controls: Role-based access, multi-factor authentication, and session management
Audit Logging: Immutable logs of all access to QR codes and scan data
Data Isolation: Enterprise customers receive dedicated infrastructure with network-level isolation

4. Administrative Safeguards

Annual security risk assessments
Employee security training and background checks
Documented incident response procedures
Designated Security and Privacy Officers

5. PHI Handling

QRZone recommends that healthcare customers configure QR codes to link to authenticated portals rather than embedding PHI in QR destinations. Our scan analytics collect device and location data only -- no patient identifiers are captured through QR scans.

6. Breach Notification

In the event of a security incident affecting PHI, QRZone will notify affected customers within 24 hours of discovery, as required under the HITECH Act. Our incident response team operates 24/7 to investigate and contain potential breaches.

7. Data Retention

Healthcare customers can configure custom data retention policies. Scan data can be automatically purged after a configurable period, and manual data deletion requests are processed within 48 hours.

8. Contact

For HIPAA-related inquiries, contact our compliance team at compliance@qrzone.io or through our contact page.