HIPAA — Generally Not Applicable
HIPAA does not apply to HQ Cortex's default product because we do not handle Protected Health Information.
Why this matters: HQ Cortex stores formulations, ingredient data, and batch records — none of which are individually identifiable health information. HIPAA only applies if HQ Cortex acts as a Business Associate of a Covered Entity (e.g., a hospital pharmacy compounding patient-specific doses) and creates, receives, maintains, or transmits PHI on its behalf. The default product is therefore not HIPAA-scoped. If a future pharmacy module produces patient-specific preparations, that workflow will be gated behind a tier requiring a signed BAA and PHI-specific safeguards.
We are not currently certified to this standard. The mapping below shows where our day-to-day controls already align.
Status legend
- SupportedWe can do this today.
- In progressPartially in place or actively in development.
- Not yet plannedNot yet started or not in scope.
Applicability
Default product does not handle PHI
SupportedHQ Cortex does not store names, addresses, diagnoses, or other identifiers tied to individual patients in its default workflows.
In HQ Cortex: Records describe products, formulations, suppliers, lots, and organizations — not patients.
45 CFR 160.103 (definition of PHI)
BAA-gated pharmacy mode (future)
Not yet plannedIf a customer compounds patient-specific preparations, HQ Cortex would become a Business Associate and must sign a BAA, implement HIPAA Security Rule safeguards, and apply breach-notification controls.
In HQ Cortex: Not in scope today.
45 CFR 164.308–164.318
Last reviewed: May 2026.