HIPAA Compliance

FlexShift, Inc. ("FlexShift") is committed to responsible data practices. This page explains how HIPAA applies — and does not apply — to the FlexShift platform, what obligations pharmacists and pharmacies retain independently, and how we protect the data that passes through our systems.

1. FlexShift's Role Under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates, defined as vendors that create, receive, maintain, or transmit Protected Health Information (PHI) on a covered entity's behalf.

FlexShift is a staffing coordination platform, not a covered entity or business associate. Our platform facilitates scheduling, credentialing, payment, and communication between licensed pharmacists and pharmacies. We do not create, receive, maintain, or transmit PHI in connection with these functions. Accordingly, HIPAA does not apply to FlexShift as a covered entity or business associate, and we do not execute Business Associate Agreements (BAAs) in connection with standard platform use.

2. What FlexShift Does Not Process

The following types of information are explicitly outside the scope of FlexShift's platform and must never be transmitted through it:

• Patient names, dates of birth, or any other patient-identifying information;
• Prescription details, medication records, or dispensing histories;
• Medical diagnoses, treatment information, or clinical notes;
• Insurance information or pharmacy benefit manager (PBM) data;
• Any other information that constitutes PHI under 45 CFR § 160.103.

FlexShift's shift chat feature is designed for shift coordination only — confirming arrival times, parking, shift-specific logistics, and professional questions between a pharmacist and a pharmacy owner. It is not a clinical communication tool and must not be used as one.

3. Pharmacist Obligations

Licensed pharmacists are healthcare professionals and covered entity workforce members (or independent contractors) when practicing pharmacy. Your individual HIPAA obligations — including the duty to protect patient information you encounter during a shift — are yours to uphold at all times, regardless of how you obtained the shift.

Specifically, when working a shift sourced through FlexShift, you must:

• Follow all HIPAA policies of the pharmacy where you are working, as directed by that pharmacy's Privacy Officer;
• Refrain from removing, copying, photographing, or transmitting any PHI from the pharmacy's premises or systems;
• Never send patient information through FlexShift's chat system, email, or any other FlexShift communication channel;
• Report any suspected PHI breach to the pharmacy's Privacy Officer immediately, consistent with the pharmacy's breach notification procedures.

4. Pharmacy Owner Obligations

Pharmacies using FlexShift to source pharmacist coverage remain covered entities and are responsible for their own HIPAA compliance programs. As the site of care, the pharmacy is responsible for:

• Providing HIPAA orientation to all individuals working in the pharmacy, including shift pharmacists sourced through FlexShift;
• Granting access to pharmacy systems (dispensing software, patient records) only to the extent necessary for the pharmacist to perform their duties;
• Ensuring that shift pharmacists execute any workforce confidentiality agreements required by the pharmacy's policies;
• Managing any PHI breach response in accordance with 45 CFR §§ 164.400–414.

FlexShift is not a substitute for a pharmacy's internal HIPAA training, policies, or procedures.

5. Data We Do Collect — and How We Protect It

While FlexShift does not process PHI, we do collect and store non-clinical professional and operational data, including pharmacist license numbers, NPI numbers, shift records, and payment information. We protect this data with:

• Encryption in transit. All data exchanged between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest. Data stored in our databases and document storage (AWS S3) is encrypted using AES-256.
• Access controls. Role-based access controls restrict which employees and systems can access user data. Access is granted on a least-privilege basis.
• Audit logging. Access to sensitive records is logged and monitored for anomalous activity.
• Vendor due diligence. Third-party service providers (Stripe, AWS, Firebase) are evaluated for security posture and bound by data processing agreements.

6. No BAA Required — But We Take Security Seriously

Because FlexShift does not handle PHI, executing a Business Associate Agreement with FlexShift is neither required nor applicable under HIPAA. If your organization's compliance team has questions about our data handling or security practices, we are happy to provide documentation. Contact us at privacy@flexshift.org.

7. Reporting Concerns

If you believe a FlexShift user has shared PHI through our platform in violation of this policy, or if you have concerns about how FlexShift handles data, please contact us immediately:

FlexShift, Inc.
Florida, USA
privacy@flexshift.org

We take data protection seriously and will investigate all credible reports promptly.

8. Disclaimer

This page is provided for informational purposes only and does not constitute legal advice. Pharmacy owners and pharmacists should consult qualified legal counsel to assess their own HIPAA obligations. HIPAA requirements are complex and fact-specific; this summary is not a substitute for a thorough compliance review.