Nuvera Biomed
HIPAA Security Notice — Effective March 1, 2025 45 CFR Part 164, Subparts A & C
This HIPAA Security Notice describes the administrative, physical, and technical safeguards that PRX Tech LLC has implemented to protect Electronic Protected Health Information (ePHI) maintained and processed through the Prescribe Rx platform, in compliance with the HIPAA Security Rule (45 CFR Part 164, Subparts A and C) and the HITECH Act.
1. Overview and Scope

PRX Tech LLC is committed to protecting the confidentiality, integrity, and availability of all Electronic Protected Health Information (ePHI) that it creates, receives, maintains, or transmits in connection with the Prescribe Rx platform. This Security Notice applies to all workforce members, contractors, Business Associates, and technology systems that access, process, or store ePHI on behalf of the Company.

Our security program is built on three core principles mandated by the HIPAA Security Rule:

📋
Confidentiality

ePHI is not disclosed to unauthorized persons or processes

🔒
Integrity

ePHI is not altered or destroyed in an unauthorized manner

Availability

ePHI is accessible and usable on demand by authorized persons

NOTICE: Any workforce member, contractor, or third party who becomes aware of an actual or suspected security incident, breach, or unauthorized access to ePHI must immediately report it to the Security Officer at compliance@prescribe-rx.com or (678) 324-4763.
2. Administrative Safeguards

Administrative safeguards are policies, procedures, and managerial actions to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

2.1 Security Management Process
  • Risk Analysis: We conduct regular, thorough assessments of potential risks and vulnerabilities to ePHI, at least annually and following any significant operational or environmental changes
  • Risk Management: We implement security measures to reduce identified risks to a reasonable and appropriate level, documented in a formal Risk Management Plan
  • Sanction Policy: Workforce members who fail to comply with our security policies are subject to disciplinary action, up to and including termination
  • Activity Review: We regularly review audit logs, access reports, and security incident tracking reports
2.2 Security Officer

PRX Tech LLC has designated a Security Officer responsible for overseeing the development and implementation of security policies and procedures. Contact: compliance@prescribe-rx.com | (678) 324-4763.

2.3 Workforce Training and Management
  • All workforce members with access to ePHI receive HIPAA Security Rule training upon hire and at least annually thereafter
  • Training records are maintained for a minimum of six (6) years
  • Background checks are conducted on all personnel with access to ePHI
  • Workforce member access to ePHI is reviewed and updated upon role changes and revoked promptly upon termination
2.4 Information Access Management
  • Access to ePHI is granted based on the principle of minimum necessary
  • Formal access authorization procedures are in place and documented
  • Access rights are reviewed at least quarterly and updated as roles change
  • Privileged access is subject to additional controls and monitoring
2.5 Contingency Planning
  • Data Backup Plan: Regular automated backups of all ePHI, tested for recoverability
  • Disaster Recovery Plan: Documented procedures to restore ePHI operations in the event of an emergency
  • Emergency Mode Operation Plan: Procedures to enable continued access to ePHI during a crisis
  • Testing & Revision: Contingency plans are tested at least annually and revised as necessary
2.6 Business Associate Management

We execute Business Associate Agreements (BAAs) with all vendors and service providers that create, receive, maintain, or transmit ePHI on our behalf. BAAs require Business Associates to implement appropriate safeguards and report security incidents.

3. Physical Safeguards

Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and the facilities and equipment they reside in from unauthorized intrusion and environmental hazards.

3.1 Facility Access Controls

The Prescribe Rx platform is hosted entirely on Amazon Web Services (AWS) HIPAA-eligible cloud infrastructure. AWS data centers are protected by extensive physical security controls, including:

  • Perimeter security with professional security staff, surveillance, and intrusion detection systems
  • Restricted access requiring multi-factor physical authentication
  • Continuous monitoring of facility access with detailed access logs
  • Environmental controls including fire suppression, temperature management, and redundant power systems
3.2 Workstation Use and Security
  • Workforce members may only access ePHI from company-approved, security-configured workstations and devices
  • Workstations must be positioned to minimize unauthorized viewing (privacy screens required where applicable)
  • Automatic screen lock is enforced after a defined period of inactivity
  • Local storage of ePHI is prohibited unless on encrypted, approved devices
3.3 Device and Media Controls
  • All portable devices and removable media used to store ePHI must be encrypted using AES-256 or equivalent
  • ePHI is securely deleted or destroyed from devices and media before disposal, donation, or reuse
  • A formal inventory is maintained of all hardware and devices that access or store ePHI
4. Technical Safeguards

Technical safeguards are the technology and related policies and procedures that protect ePHI and control access to it.

4.1 Access Control
  • Unique User Identification: Every user is assigned a unique identifier; shared accounts are strictly prohibited
  • Automatic Logoff: System sessions automatically terminate after a defined period of inactivity
  • Encryption at Rest: All ePHI stored within the platform is encrypted at rest using AES-256
  • Emergency Access Procedure: Break-glass access controls exist with full audit trails
4.2 Audit Controls
  • All access to and modifications of ePHI are logged in immutable, tamper-evident audit logs
  • Audit logs capture user identity, timestamp, action taken, and data accessed
  • Audit logs are reviewed regularly by the Security Officer or designated personnel
  • Audit log data is retained for a minimum of six (6) years
  • Anomalous access patterns trigger automated alerts for immediate review
4.3 Integrity Controls
  • Checksums and hash verification are used to detect unauthorized alteration or destruction of ePHI
  • Version control and change management procedures ensure that modifications to ePHI are tracked and authorized
  • Database integrity checks are performed regularly
4.4 Transmission Security
  • All ePHI transmitted over electronic communications networks is encrypted in transit using TLS 1.2 or higher
  • Unencrypted transmission of ePHI is strictly prohibited
  • All API endpoints that process ePHI require authentication and enforce HTTPS
  • Network security controls including firewalls, IDS, and WAF protect ePHI in transit
4.5 AWS HIPAA-Eligible Infrastructure Stack

The Prescribe Rx platform is deployed on AWS infrastructure configured to meet HIPAA Security Rule requirements. Key services in use:

VPC + Private Subnets IAM (Least Privilege) KMS Encryption CloudTrail Audit Logs GuardDuty WAF + Shield AWS Config Security Hub Multi-Region Backups Point-in-Time Recovery
4.6 Authentication and Identity Management
  • Multi-factor authentication (MFA) is required for all administrative access and strongly encouraged for all user accounts
  • Password policies require minimum length, complexity, and regular rotation
  • Session tokens are short-lived and invalidated upon logout or inactivity
  • OAuth 2.0 and OpenID Connect protocols are used for secure authentication flows
  • One-time passcodes (OTP) delivered via SMS are used as an additional identity verification factor
5. Security Incident Response and Breach Notification
5.1 Security Incident Response

We maintain a formal Security Incident Response Plan including documented procedures for detecting and identifying potential security incidents, containing and eradicating the threat, recovering affected systems and data, documenting and analyzing the incident, and notifying affected parties and regulatory authorities as required by law.

All actual or suspected security incidents must be reported immediately to the Security Officer at compliance@prescribe-rx.com or (678) 324-4763.

5.2 Breach Notification

In the event of a breach of unsecured ePHI, we will comply with all HIPAA Breach Notification Rule requirements (45 CFR §§ 164.400–414), including:

  • Individual Notification: Affected individuals will be notified no later than 60 calendar days after discovery of the breach
  • Media Notification: If a breach affects more than 500 residents of a state, we will provide notice to prominent media outlets in that state
  • HHS Notification: Breaches affecting 500 or more individuals will be reported immediately; smaller breaches will be reported annually
  • Business Associate Notification: Business Associates will notify us of breaches no later than 60 days after discovery
6. Organizational and Policy Requirements
6.1 Policies and Procedures

We maintain comprehensive written HIPAA security policies and procedures, updated at least annually and following significant changes to operations or the regulatory environment. Policies and procedures are retained for a minimum of six (6) years from the date of creation or last effective date, whichever is later.

6.2 Documentation

All actions, activities, and assessments required by the HIPAA Security Rule are documented and retained in accordance with applicable retention requirements. Documentation is available for review upon request by authorized personnel and regulatory authorities.

6.3 Periodic Review

Security policies, procedures, and safeguards are reviewed and updated periodically and in response to: environmental or operational changes affecting ePHI security; newly identified risks or vulnerabilities; security incidents or breaches; and changes in applicable laws, regulations, or guidance from HHS.

7. User Responsibilities

As a user of the Platform, you play an important role in protecting the security of ePHI. You agree to:

  • Maintain the confidentiality of your account credentials and never share your username, password, or MFA codes with any person
  • Log out of your account when not in use and on shared or public devices
  • Use only approved, secure devices and networks to access the Platform
  • Promptly report any suspected unauthorized access to your account or ePHI to the Security Officer
  • Not attempt to access, copy, or disclose ePHI beyond the scope of your authorized access
  • Comply with all applicable HIPAA requirements in your use of the Platform
8. Security Officer Contact

For questions about this Security Notice, to report a security incident, or to request information about our security program:

Company PRX Tech LLC
Platform Prescribe Rx
Security Officer Email compliance@prescribe-rx.com
Phone (678) 324-4763
Address 30 N Gould St STE R, Sheridan, WY 82801
This HIPAA Security Notice is effective as of March 1, 2025. PRX Tech LLC reserves the right to update this notice at any time to reflect changes in our security practices or applicable law. Material changes will be communicated to affected parties.