Patient Privacy 2017-05-31T13:26:06+00:00

Phreesia is a company built on your trust

We are committed to the privacy and security of our users’ data. Our administrative, technical and physical safeguards are designed to secure and protect patient-related health and financial information.

Under the Health Insurance Portability and Accountability Act (HIPAA), Phreesia is a “business associate,” which is defined as an individual or entity that is not a member of the covered entity’s workforce and performs (on behalf of the covered entity—i.e. the practice) certain functions or activities involving the use or disclosure of protected health information (PHI). As a business associate, Phreesia is subject to, and committed to, all applicable HIPAA privacy and security requirements.

Phreesia’s Privacy and Security Procedures

Among other things, Phreesia’s privacy and security procedures include the following:

  • Phreesia does not sell, rent, disclose or use PHI without patient authorization or unless permitted or required by law.
  • PHI is secured through password protection and is accessible within a practice by only users who have been authorized by the practice.
  • Phreesia employs security measures to store and protect PHI. PHI is firewall-protected and is under electronic surveillance 24 hours a day, 7 days a week.
  • PHI is never stored on the PhreesiaPad. Therefore, if a PhreesiaPad is lost or stolen, no PHI is compromised as a result.
  • PHI transmitted between the Phreesia Platform and Phreesia’s data centers is protected using industry-standard TLS (256 bit AES keys).
  • PhreesiaPads are configured from the factory to use WPA2 encryption, using the AES algorithm.
  • Patient data is stored in a highly-secured data center, protected by multi-layer security. This means:
    • The servers that house the data are stored in a secured building with multiple layers of physical security.
    • At the network level, these servers are placed in a secure subnet and protected by firewalls.
    • Front-end servers and database servers are on physically different networks and have limited connectivity.
    • The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
    • Within the database server, the data is stored in an encrypted form.
  • Patient data is stored using AES encryption, with a key size of 256 bits.

Phreesia is PCI Level 1 compliant. Phreesia is listed on the up-to-date lists of PCI Level 1 service providers for both Visa and MasterCard.

Policy Updates

To best serve our users, we continually update our privacy policy, and we recommend that you occasionally revisit this policy page to obtain our up-to-date information. The date of the latest update is always noted at the bottom of the page.


If you have any questions or comments about this policy or any concern about privacy at Phreesia or the use of this site in general, please contact us by email at or send correspondence to the following address:

432 Park Ave South, 12th Floor, New York, NY 10016, Attn: Privacy Officer

Request A Demo