HIPAA Compliance Notice
Last Updated: October 2025
Our Commitment to Your Privacy
At Recovery Ecosystem (operated by Orbiit Services Inc.), we take the privacy and security of your health information seriously. Our platform is designed to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.
This page provides information about how we protect your Protected Health Information (PHI) and our compliance with federal healthcare privacy laws.
HIPAA Compliance Status
Recovery Ecosystem is HIPAA-ready and maintains 90%+ HIPAA Security Rule coverage.
Our compliance program includes:
- Administrative Safeguards: Comprehensive policies for security management, workforce training, and incident response
- Physical Safeguards: Azure SOC 2 Type II certified data centers with endpoint security controls
- Technical Safeguards: Encryption at rest and in transit, role-based access control, audit logging, and secure authentication
- Organizational Requirements: Business Associate Agreements (BAAs) with all third-party service providers
How We Protect Your Health Information
Encryption
All data is encrypted both in transit (using TLS 1.3) and at rest (using database-level encryption). This ensures your information is protected whether it's being transmitted over the internet or stored in our systems.
Access Controls
We implement role-based access control (RBAC) to ensure that only authorized personnel can access your health information, and only to the extent necessary for treatment, payment, or healthcare operations.
Audit Logging
Our systems maintain comprehensive audit logs of all access to protected health information, enabling us to detect and investigate any unauthorized access attempts.
Secure Authentication
Staff members access the system through Single Sign-On (SSO) with multi-factor authentication (MFA), and patients receive secure magic links via SMS that expire after use.
Your Rights Under HIPAA
Under HIPAA, you have the following rights regarding your health information:
- Right to Access: You can request and receive a copy of your health information
- Right to Amend: You can request corrections to your health information
- Right to an Accounting: You can request a list of certain disclosures of your health information
- Right to Request Restrictions: You can request limits on how we use or disclose your information
- Right to Confidential Communications: You can request that we communicate with you in specific ways
- Right to a Paper Copy of This Notice: You can request a paper copy of our privacy practices
SMS Communications and Patient Authorization
With your explicit authorization, we communicate with you and your designated care team via SMS text messaging. These communications may include:
- Recovery Content Delivery: Daily lessons and resources delivered via secure links
- Crisis Alerts: Emergency notifications to your clinical care team when you activate crisis support
- Access Invitations: Messages to family members, parole officers, or support persons you designate to view your recovery progress
- Administrative Notifications: Program updates and milestone celebrations
Your consent is required before we send any SMS communications. You can opt out of SMS messages at any time by replying STOP or contacting privacy@myorbiit.com. Standard SMS rates may apply from your carrier.
Information Sharing with Your Consent
With your explicit authorization, you may choose to share your recovery progress and engagement metrics with:
- Family members you designate
- Parole officers or case managers (for court-ordered monitoring)
- Other support persons you identify
You maintain full control over who receives access, what information they can view, how long access remains active, and your ability to revoke access at any time.
Third-Party Service Providers
We work with trusted third-party service providers to deliver our platform. Where required, we enter into Business Associate Agreements (BAAs) to ensure these providers maintain appropriate protections for your health information:
- Microsoft Azure: Cloud infrastructure and database hosting. BAA execution in progress (meeting scheduled November 2025). All patient data is stored in SOC 2 Type II certified, HIPAA-compliant data centers with encryption at rest and in transit.
- Twilio: SMS delivery service for recovery content, crisis alerts, and care coordination. SMS communications are sent with your explicit authorization. Twilio processes phone numbers and limited identifiers (first names) for message delivery. All sensitive health information is accessed only through secure, authenticated links.
Our use of SMS for crisis communications follows HIPAA guidelines for treatment coordination, where healthcare providers may share limited information necessary for patient care. Your authorization covers these communications, and you maintain control over who receives notifications.
Breach Notification
In the unlikely event of a breach of your protected health information, we will notify you and the appropriate authorities as required by federal law. Our incident response procedures are designed to:
- Detect and respond to security incidents promptly
- Mitigate harmful effects of any breach
- Document and report incidents as required
- Prevent future occurrences through corrective action
Questions or Concerns
If you have questions about our HIPAA compliance practices or concerns about the privacy of your health information, please contact:
Privacy Officer
Orbiit Services Inc.
Email: privacy@myorbiit.com
Related Documents
For more information about how we handle your information, please review:
- Privacy Policy - Our comprehensive data handling practices
- Terms and Conditions - Terms of service for using our platform