HIPAA Notice of Privacy Practices
This notice describes how Nūr Evoke supports the protection of Protected Health Information (PHI) and the responsibilities of Nūr Evoke (designed by Nur Behavioral Health) as a HIPAA Business Associate. Your organization (the Covered Entity) is responsible for providing patients with its own Notice of Privacy Practices.
1. Our role
When we process PHI on behalf of a Covered Entity, we do so as a Business Associate under a signed Business Associate Agreement (BAA), and only as permitted by that BAA and HIPAA.
2. Safeguards
- Encryption — PHI is encrypted at rest (AWS KMS) and in transit (TLS 1.2+).
- Access control — unique per-user logins via AWS Cognito with multi-factor authentication; role-based access scoped to each organization; session timeouts. No passwords are stored in our database.
- Audit controls — access to and changes of PHI-bearing records are recorded in an audit log.
- HIPAA-eligible infrastructure — PHI is hosted only on HIPAA-eligible AWS services.
- Minimum necessary — the Service is designed to limit PHI to what is needed for the task.
3. Business Associate Agreements
We maintain BAAs with our subprocessors that handle PHI (for example, AWS and Google Workspace), and we enter into a BAA with each Covered Entity organization we serve.
4. Breach notification
In the event of a breach of unsecured PHI, we will notify the affected Covered Entity in accordance with HIPAA and the applicable BAA, without unreasonable delay.
5. Individual rights
HIPAA rights — access, amendment, accounting of disclosures, restrictions, and confidential communications — are administered by the Covered Entity (your provider). We support the Covered Entity in fulfilling these requests. Patients should contact their provider directly.
6. Contact
Privacy/security questions: info@nurbhealth.com, Liyakhat Khan, 316 E Bloomingdale Ave, Brandon FL 33511.