Skip to main content
Latched

HIPAA Compliance

Last updated: April 11, 2026

Our Commitment

Latched Services is a HIPAA-compliant telehealth platform. We are committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and applicable state laws.

What is PHI?

Protected Health Information (PHI) includes any individually identifiable health information that is created, received, maintained, or transmitted in connection with health care services. This includes names, dates of birth, contact information, health conditions, treatment records, and billing information when linked to a specific individual.

How We Protect Your Information

Encryption at Rest & in Transit

All PHI is encrypted using AES-256-GCM encryption at rest and TLS 1.3 for data in transit. Sensitive fields (date of birth, addresses, insurance information, tax IDs) are individually encrypted before database storage.

Access Controls

Role-based access control (RBAC) ensures that users can only access information relevant to their role. Parents see their own records. Consultants see records for their active clients. Administrators have audited access for support and compliance purposes.

Audit Logging

Every access to PHI is logged with timestamps, user identifiers, and action types. Audit logs are retained for a minimum of 6 years in compliance with HIPAA requirements. Logs never contain PHI themselves — only references to record identifiers.

Secure Video Sessions

Telehealth video sessions are conducted through HIPAA-compliant infrastructure with end-to-end encryption. Video sessions are not recorded or stored. Session metadata (start time, duration, participants) is logged for billing and compliance purposes only.

Infrastructure Security

Our platform runs on Microsoft Azure with HIPAA-eligible services. Database credentials are stored in Azure Key Vault. Authentication is handled through Microsoft Entra External ID with session timeouts and secure token management.

Business Associate Agreements

We maintain Business Associate Agreements (BAAs) with all third-party service providers that may access PHI, including:

  • Microsoft Azure (cloud infrastructure and database hosting)
  • Twilio (HIPAA-compliant video communication)
  • Stripe (payment processing)
  • Microsoft Entra External ID (authentication)

Minimum Necessary Standard

We follow the HIPAA Minimum Necessary Standard, ensuring that access to PHI is limited to the minimum amount of information needed to accomplish the intended purpose. Our platform is designed so that each user role only has access to the specific data they need.

Breach Notification

In the unlikely event of a data breach involving PHI, we will notify affected individuals within 60 days as required by the HIPAA Breach Notification Rule. We will also notify the U.S. Department of Health and Human Services (HHS) and, if applicable, prominent media outlets as required by law.

Your Rights Under HIPAA

As a user of our platform, you have the right to:

  • Access your PHI and request copies of your records
  • Request corrections to inaccurate information
  • Request restrictions on how your PHI is used or disclosed
  • Receive an accounting of disclosures of your PHI
  • Request confidential communications through alternative means
  • File a complaint if you believe your privacy rights have been violated

Consultant Responsibilities

Lactation consultants on our platform are independent contractors responsible for maintaining their own HIPAA compliance. By using the Latched platform, consultants agree to handle all client information in accordance with HIPAA requirements, including proper documentation, secure communication, and appropriate use of PHI.

Contact Us

If you have questions about our HIPAA compliance practices, wish to exercise your rights, or need to report a potential privacy concern, please contact us:

Privacy Officer

Latched Solutions LLC

992 S 4th St, Ste 100, PMB 407, Brighton, CO 80601

Email: privacy@latchedservices.com

For our full privacy practices, see our Privacy Policy. For terms of use, see our Terms of Service.