top of page

HIPAA Compliance Policy

Last Updated: November 2025

Bridge Social, Inc. (“Bridge”) provides secure communication and engagement tools for aging-services organizations, government agencies, nonprofits, and community programs. Some Customers may use Bridge in connection with health-related information. This HIPAA Policy explains how Bridge supports HIPAA compliance through technical, administrative, and operational safeguards.

This policy applies to Bridge’s platform, infrastructure, and data-handling practices. It does not replace or supersede the terms of any executed Business Associate Agreement (BAA). In the event of a conflict, the BAA controls.

1. HIPAA Compliance Overview

Bridge supports HIPAA compliance for Customers who qualify as Covered Entities or Business Associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Bridge:

  • Executes BAAs upon request for eligible Customers

  • Implements safeguards required under the HIPAA Security Rule

  • Processes Protected Health Information (“PHI”) only as directed by the Customer

  • Does not use PHI to train public AI models

  • Does not sell, disclose, or re-purpose PHI

  • Acts as a Business Associate only when a Customer signs a BAA

Customers without a BAA should not transmit PHI through the platform.

2. Scope of Protected Health Information (PHI)

PHI may include personal or health-related information shared by individuals when interacting with an Agency’s phone number or participating in wellness, caregiver, case management, or social-service programs.

Bridge does not collect PHI on public landing pages or referral pages.

PHI is only processed when an individual initiates communication with the Agency or provides information through Agency-directed workflows.

3. Technical Safeguards

Bridge implements industry-standard technical safeguards, including:

3.1 Encryption

  • Data in transit encrypted with TLS 1.2+

  • Data at rest encrypted using industry-standard encryption

3.2 Access Controls

  • Multi-factor authentication for Bridge staff

  • Role-based access for PHI

  • Periodic access reviews

3.3 Infrastructure Security

  • Secure hosting on enterprise-grade cloud platforms

  • Firewall protection and network segmentation

  • Continuous infrastructure monitoring

3.4 Logging and Auditing

  • Access logging for sensitive data

  • Administrative activity recording

  • Audit logs available upon request

3.5 PHI-Safe Messaging Models

  • Bridge supports two PHI-safe approaches:​​

A. Secure Link Model

  • PHI is not sent over SMS.
    Instead, recipients access sensitive data via secure, authenticated web links with:

  • Phone-based code verification

  • Session expiration

  • Audit logging​​

B. Direct PHI Messaging in SMS

  • Permitted only when:

  • A BAA is in place

  • Customer explicitly enables the feature

  • Customer confirms they obtain and maintain user consent

  • Messaging occurs through a HIPAA-enabled SMS vendor (e.g., Twilio under BAA)

4. Administrative Safeguards

Bridge maintains the following administrative controls:

4.1 Security Program

  • Annual policy reviews

  • Employee HIPAA training

  • Vendor risk assessments

4.2 Incident Response

Bridge maintains a documented incident response plan covering:

  • Timely investigation

  • Documentation and remediation

  • Customer notification

  • Corrective action plans

4.3 Workforce Controls

  • Least-privilege access

  • Background checks where relevant

  • Confidentiality agreements for all personnel

5. Physical Safeguards

Bridge uses secure cloud infrastructure with third-party certifications such as SOC 2 and ISO 27001. Bridge does not store PHI on local office hardware.

6. Subprocessors

Bridge may use third-party subprocessors to deliver the Services. Examples include:

  • Cloud hosting providers

  • HIPAA-enabled SMS delivery providers

  • Security and monitoring tools

Bridge executes BAAs where required and maintains a list of subprocessors available upon request.

7. Breach Notification

If Bridge becomes aware of a suspected or confirmed breach of unsecured PHI:

  • Bridge will notify the Customer without unreasonable delay

  • Provide information about the nature and scope of the breach

  • Assist the Customer with mitigation and compliance obligations

Bridge does not notify end users directly unless required by contract.

8. Customer Responsibilities

Customers that use Bridge to process PHI agree to:

  • Sign a BAA with Bridge prior to sending PHI

  • Obtain and maintain all necessary user consents

  • Train their staff on HIPAA-compliant use

  • Configure communications appropriately (e.g., using secure links when preferred)

  • Maintain their own device and systems security

  • Notify Bridge of any unauthorized access

9. Transition of Responsibility (Agency vs. Bridge)

When an individual texts, calls, or interacts with an Agency’s phone number:

  • The Agency is the owner and operator of that communication channel

  • The Agency’s Privacy Policy applies

  • Bridge processes data solely as a Business Associate

  • Bridge does not independently evaluate or control the content of messages

Bridge-hosted landing pages do not collect PHI.

10. Transmission of PHI via SMS With User Consent

HIPAA permits Covered Entities to send PHI through unencrypted channels (including SMS) when the individual has been informed of the risks and still prefers this form of communication (45 CFR § 164.522).

Bridge supports this model under the following conditions:

10.1 Customer Consent Responsibility

The Customer (Agency), not Bridge, is responsible for:

  • Obtaining user consent

  • Documenting that consent

  • Informing users of SMS-related risks

  • Retaining proof of consent per HIPAA retention rules

  • Directing Bridge to send PHI through SMS as part of their operations

Bridge does not obtain consent directly from end users unless contractually delegated.

10.2 Enabling PHI-in-SMS

Bridge permits transmission of PHI via SMS only when:

  • A BAA is executed

  • Customer has confirmed consent processes

  • Customer configures or enables SMS-PHI messaging in their settings

  • The workflow is supported by a HIPAA-eligible SMS subprocessor

  • Customer assumes responsibility for consent management

10.3 Recommended Consent Language

Agencies may use language similar to:

“Text messaging is not a fully secure method of communication and may be intercepted. Do you consent to receive information, including health-related details, via text message?”

10.4 SMS Opt-Out

Users can stop receiving messages by replying STOP at any time.

11. Contact for HIPAA Matters

For HIPAA questions, BAAs, or compliance requests:

Bridge Social, Inc.
Email: support@bridgesocial.io

bottom of page