Phreesia is a company built on your trust

We are fully committed to the privacy and security of our users’ data. Our administrative, technical and physical safeguards are designed to secure and protect patient-related health and financial information.

Under the Health Insurance Portability and Accountability Act (HIPAA), Phreesia is defined as a “business associate,” which is an individual or entity that is not a member of the “covered entity’s” (i.e., the healthcare provider’s) workforce, and performs certain functions involving the use or disclosure of protected health information (PHI) on behalf of the covered entity. As a business associate, Phreesia is subject to, and committed to, all applicable HIPAA privacy and security requirements.

Phreesia’s Privacy and Security Procedures

Phreesia’s privacy and security procedures include the following safeguards:

  • Phreesia does not sell, rent, disclose or use PHI without patient authorization or unless permitted or required by law.
  • PHI is secured through password protection and can only be accessed by authorized users within the healthcare practice.
  • PHI is firewall-protected and under electronic surveillance 24 hours a day, seven days a week.
  • PHI is never stored on PhreesiaPads, so if a Pad is lost or stolen, no PHI will be compromised.
  • PHI transmitted between the Phreesia platform and Phreesia’s data centers is protected using industry-standard TLS (256-bit AES keys).
  • PhreesiaPads are configured from the factory to use WPA2 encryption and the AES algorithm.
  • Patient data is stored in a highly-secured data center, protected by multi-layer protocols. This means:
    • The servers that house the data are stored in a secured building with multiple layers of physical security.
    • At the network level, these servers are placed in a secure subnet protected by firewalls.
    • Front-end servers and database servers are on physically different networks and have limited connectivity.
    • The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
    • Within the database server, data is stored in an encrypted form.
    • Patient data is stored using AES encryption with a key size of 256 bits.

Phreesia is HITRUST-certified, SOC 2-certified, and PCI Level 1-compliant. Phreesia also is listed on the most current lists of PCI Level 1 service providers for both Visa and Mastercard.

Policy Updates

To best serve our users, we continually update our privacy policy, and we recommend that you occasionally revisit this policy page to ensure that you have the most up-to-date information. The date of the most recent update is always noted at the bottom of the page.


If you have any questions or comments about this policy, or concerns about Phreesia’s privacy processes, or the use of this site in general, please contact us by email at or send correspondence to:

Phreesia, Inc.
Attn: Privacy Officer
432 Park Ave South, 12th Floor
New York, NY 10016,