HIPAA Compliance at MigiHub
MigiHub is a software-as-a-service platform developed and owned by InnuCloud Experts Inc. We design and operate MigiHub to support our customers' obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act.
Our role under HIPAA
- Business Associate (BA): When a HIPAA-covered entity uses MigiHub and enters or stores PHI in the platform, InnuCloud acts as a BA and processes PHI only to provide the service and as instructed by the covered entity.
- Controller (our own data): For website analytics, billing, and account administration of our own customers, InnuCloud acts as a data controller (not a BA).
We make a Business Associate Agreement (BAA) available to covered-entity customers and bind HIPAA-relevant subcontractors to BA-level terms.
What counts as PHI in MigiHub
Depending on your configuration, PHI may include booking/assignment details (date/time, location), contact information, notes or attachments shared for appointment preparation, interpreter timesheets with patient identifiers, and optional geolocation if you enable it. Customers should apply the minimum necessary principle when entering PHI.
Security safeguards (HIPAA Security Rule)
- Unique user IDs and Single Sign-On (SSO) support
- Role-based access control and least-privilege permissions
- Encryption in transit (TLS) and encryption at rest
- Audit logging and monitoring of security-relevant events
- Backups and recovery testing to support availability
- Vulnerability management and security patching
- Documented incident response procedures
Minimum Necessary by design
We provide field-level configuration, roles/permissions, and data-handling guidance to help customers limit PHI exposure to the minimum necessary for scheduling, fulfillment, and billing.
De-identification options
Where feasible, customers can reduce risk by avoiding PHI in free-text notes and attachments, or by using de-identified data sets for analytics. HIPAA recognizes two de-identification methods: Safe Harbor (removal of 18 identifiers) and Expert Determination.
Breach notification (HITECH)
If InnuCloud discovers a breach of unsecured PHI in our capacity as a Business Associate, we will notify the covered entity without undue delay and provide information to support regulatory notifications under the Breach Notification Rule (45 CFR §§ 164.400–414). The BAA specifies exact timeframes and details.
Subcontractors (downstream BAs)
We assess and contractually bind relevant subcontractors that create, receive, maintain, or transmit PHI on our behalf to HIPAA-grade obligations, including security safeguards and breach notification.
No official HIPAA certification
There is no government-recognized HIPAA certification. The Office for Civil Rights (OCR) requires ongoing risk analysis and evaluation. Organizations may use third parties to evaluate controls, but certification itself is not mandated or endorsed by HHS. We avoid misleading seals and demonstrate compliance through controls, BAAs, and documentation.
Customer responsibilities
- Determine whether you are a covered entity or business associate and configure MigiHub to limit PHI intake.
- Execute the BAA with InnuCloud.
- Manage user access/SSO, retention, and export settings aligned with your internal policies.
- Train your workforce and maintain your own HIPAA policies and procedures.
Contact
InnuCloud Experts Inc. (MigiHub)
2020 Trans-Canada Hwy, Dorval, Quebec H9P 2N4, Canada
Email: [email protected]
