HIPAA compliance at Exclaimer
Exclaimer is a HIPAA business associate. We sign Business Associate Agreements (BAAs) with U.S. healthcare customers who request one, and we implement the administrative, physical, and technical safeguards required of business associates under the HIPAA Security Rule (45 CFR Part 164).
For our full HIPAA documentation, including the BAA process and supporting evidence, visit the Exclaimer Trust Center.
How does Exclaimer meet HIPAA requirements?
Requirement | How Exclaimer meets it |
|---|---|
Business associate status | Operates as a HIPAA business associate |
Business Associate Agreements | Signs BAAs with U.S. healthcare customers on request |
PHI handling | Processes PHI in transit only, with no persistent storage of email content |
Security Officer designation | Designates Karl Bagci as HIPAA Security Officer under 45 CFR § 164.308(a)(2) |
Independent audit | Operates controls audited under SOC 2 Type II by BARR Advisory |
HIPAA and Exclaimer's role
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that protects sensitive patient health information.
Exclaimer processes emails on behalf of its customers. When those customers are U.S. healthcare organizations, the emails passing through our platform may contain Protected Health Information (PHI). That brings Exclaimer within the scope of HIPAA as a business associate.
It's your responsibility to determine whether HIPAA applies to your organization and your use of Exclaimer. Where it does, our role and obligations are set out in a Business Associate Agreement.
What is a Business Associate Agreement (BAA)?
A Business Associate Agreement is a legally required contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI and requires the business associate to implement appropriate safeguards.
How Exclaimer handles Protected Health Information
We process emails in transit to apply the correct signature. Messages pass through our platform, the signature is applied in memory, and the message is returned to the customer's mail flow without being stored. There are no archives of processed emails, and no mechanism for Exclaimer personnel to access email content.
For U.S. healthcare customers, that means any PHI contained in an email passes through Exclaimer in transit only. It isn't retained, indexed, or accessible to our teams, which aligns with the HIPAA Security Rule's requirement that ePHI be protected against unauthorized access and disclosure.
Data is encrypted in transit and at rest, in line with the HIPAA Security Rule's transmission security and encryption standards.
How do I get a Business Associate Agreement from Exclaimer?
If your use of Exclaimer involves PHI, request a BAA through the Exclaimer Trust Center. Our security team can also walk you through the agreement and the supporting documentation directly.
Exclaimer’s HIPAA Security Officer
HIPAA requires every business associate to designate a Security Officer responsible for the policies and procedures that protect PHI (45 CFR § 164.308(a)(2)).
Exclaimer's designated HIPAA Security Officer is Karl Bagci, Director of IT and Information Security. He oversees our HIPAA compliance program.
For HIPAA-specific questions, contact our security team at [email protected].
What HIPAA Security Rule safeguards does Exclaimer implement?
Exclaimer operates the administrative, physical, and technical safeguards required of business associates under the HIPAA Security Rule. These controls form part of our broader information security program.
Specific controls Exclaimer implements include:
Access controls – Role-based access limiting PHI exposure to authorized personnel only
Audit logging – Comprehensive logging of system activity for security monitoring
Encryption – TLS for data in transit and AES-256 encryption at rest
Intrusion prevention – Network security controls to detect and prevent unauthorized access
Security awareness training – Regular HIPAA and security training for all personnel
That program is independently audited under our SOC 2 Type II attestation, which covers Security, Availability, and Confidentiality. The most recent audit was completed in February 2026 by BARR Advisory.
Where can I find Exclaimer's HIPAA documentation and BAA?
For HIPAA-specific evidence, including our Business Associate Agreement, supporting policies, and the audit reports that back our security program, visit the Exclaimer Trust Center. It also holds pre-completed responses to the security and compliance questions buyers ask most often during vendor review.
If you need documentation or context we haven't published, our security team can help directly.
Visit the Trust Center →Frequently asked questions about Exclaimer and HIPAA
No, because there is no HIPAA certification program. HIPAA is a regulation, not a certification standard. Exclaimer demonstrates compliance through the safeguards we operate, the Business Associate Agreements we sign with customers, and the independent audits that validate our broader security program (including SOC 2 Type II).
Yes. When a U.S. healthcare customer's use of Exclaimer involves Protected Health Information, Exclaimer acts as a business associate under HIPAA.
Yes. Exclaimer signs Business Associate Agreements with U.S. healthcare customers who request one.
Exclaimer processes emails in transit only. Messages pass through our platform, the signature is applied in memory, and the message is returned to the customer's mail flow without being stored. There are no archives of processed emails, and no mechanism for Exclaimer personnel to access email content.
Our Business Associate Agreement, supporting policies, and audit evidence are available through the Exclaimer Trust Center.
Talk to Exclaimer's security team
For specific HIPAA questions, BAA terms, or anything our public documentation doesn't cover, our security team is available to talk through your review directly.
Contact our security team →