Solutions
Electronic Health Records Practice Management Revenue Cycle Management Population Health Payer Solutions Life Sciences Enterprise ERP
Our Clients
Independent Practices Medical Specialties Hospitals & Health Systems Payers Life Sciences
Insights
Market Themes Resources Thought Leadership
Company
Who We Are Newsroom Join Us Contact Us
Request a Demo
Legal

HIPAA Notice of Privacy Practices

Effective Date

This Notice of Privacy Practices is effective January 1, 2026 and applies to Veradigm Inc. and its covered entity clients that have executed a Business Associate Agreement (BAA) with Veradigm.

Our Role Under HIPAA

Veradigm serves as a Business Associate under HIPAA for healthcare organizations (Covered Entities) that use our clinical platforms. As a Business Associate, we:

  • Use and disclose Protected Health Information (PHI) only as permitted by our BAA and HIPAA regulations
  • Implement appropriate administrative, physical, and technical safeguards to protect PHI
  • Report security incidents and breaches to the Covered Entity as required by law
  • Ensure our subcontractors who access PHI also execute Business Associate Agreements

Permitted Uses and Disclosures of PHI

We may use and disclose PHI to the extent necessary to provide services to Covered Entities, including:

  • Providing and maintaining EHR, Practice Management, and Population Health platforms
  • Technical support and troubleshooting that requires access to PHI
  • Data aggregation and de-identification for analytics (with appropriate safeguards)
  • Legal and compliance activities as required by law

Safeguards We Maintain

Veradigm maintains a comprehensive HIPAA Security Program including:

  • HITRUST CSF Certification for our core clinical platforms
  • SOC 2 Type II audits conducted annually by independent third parties
  • End-to-end encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and minimum-necessary access policies
  • Annual workforce training on HIPAA Privacy and Security rules
  • Business Continuity and Disaster Recovery with 99.9% uptime SLA

Breach Notification

In the event of a security incident involving PHI, Veradigm will notify the affected Covered Entity within the timeframes required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). Notification will include the nature of the breach, PHI involved, steps taken to mitigate, and recommendations for affected individuals.

Your Rights as a Patient

If you are a patient whose healthcare provider uses Veradigm, your HIPAA rights (access to records, amendment requests, accounting of disclosures, etc.) are managed by your healthcare provider, not by Veradigm directly. Please contact your provider’s privacy officer to exercise your rights.

Contact Our Privacy Officer

Veradigm Privacy Officer
222 Merchandise Mart Plaza, Suite 2024
Chicago, IL 60654
hipaa@veradigm.com · (800) 334-8534

To request a copy of our Business Associate Agreement template, contact your Veradigm account representative or email legal@veradigm.com.