Congressly.io
Contact Us

HIPAA Compliance

Last updated: 12/25/2025

1. Our Commitment to HIPAA Compliance

Congressly.io is committed to maintaining the highest standards of data security and privacy for medical congress organizers and their participants. While our platform primarily handles congress registration and abstract submission data, we recognize the importance of HIPAA (Health Insurance Portability and Accountability Act) compliance in the healthcare industry and have implemented comprehensive safeguards.

2. Administrative Safeguards

We have implemented administrative safeguards to protect electronic protected health information (ePHI):

  • Security management process with regular risk assessments and mitigation strategies
  • Designated security officials responsible for developing and implementing security policies
  • Workforce training and management programs ensuring all staff understand HIPAA requirements
  • Information access management with role-based access controls
  • Security incident procedures for identifying, responding to, and reporting security incidents
  • Contingency planning including data backup, disaster recovery, and emergency mode operations
  • Business associate agreements with all third-party service providers

3. Physical Safeguards

Our platform implements physical safeguards to protect systems and equipment:

  • Facility access controls limiting physical access to data centers and equipment
  • Workstation security policies ensuring proper use and positioning of workstations
  • Device and media controls for secure disposal, reuse, and accountability of hardware
  • Hosting infrastructure with SOC 2 Type II and ISO 27001 certifications

4. Technical Safeguards

We employ robust technical safeguards to secure electronic protected health information:

  • Access controls with unique user identification, emergency access procedures, and automatic logoff
  • Audit controls to record and examine activity in systems containing ePHI
  • Integrity controls to ensure ePHI is not improperly altered or destroyed
  • Transmission security using TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • Multi-factor authentication for administrative access
  • Regular security updates and vulnerability patching

5. Data Encryption and Security

All data transmitted to and from our platform is encrypted using industry-standard TLS 1.3 protocols. Data at rest is encrypted using AES-256 encryption. We maintain secure key management practices and regularly rotate encryption keys. Database backups are encrypted and stored in geographically distributed locations to ensure business continuity.

6. Breach Notification

In the event of a breach of unsecured protected health information, we will notify affected parties and the Secretary of Health and Human Services within 60 days of discovery, as required by the HIPAA Breach Notification Rule. Our incident response plan includes procedures for containment, investigation, notification, and remediation of security incidents.

7. Business Associate Agreements

We execute Business Associate Agreements (BAAs) with congress organizers who handle protected health information through our platform. These agreements outline the permitted uses and disclosures of ePHI, safeguarding requirements, and breach notification obligations. Congress organizers are responsible for obtaining appropriate authorizations from their participants.

8. Data Retention and Disposal

Protected health information is retained in accordance with applicable regulations and congress organizer requirements. When data is no longer needed, it is securely disposed of using methods that render it unreadable and undecipherable, including cryptographic erasure and secure deletion protocols.

9. Regular Audits and Assessments

We conduct regular security risk assessments and compliance audits to identify vulnerabilities and ensure ongoing HIPAA compliance. Our security practices are reviewed and updated as necessary to address emerging threats and changes in regulatory requirements. Third-party security audits are performed annually.

10. Training and Awareness

All team members receive comprehensive HIPAA training upon hire and annually thereafter. Training covers privacy and security regulations, proper handling of ePHI, incident reporting procedures, and the consequences of non-compliance. We maintain documentation of all training activities.

11. Contact Information

For questions regarding HIPAA compliance, to request a Business Associate Agreement, or to report a security concern, please contact our Security and Privacy Officer at: contact@congressly.io

12. Updates to This Policy

We reserve the right to update this HIPAA Compliance statement as needed to remain compliant with applicable regulations and to reflect changes in our security practices. Material changes will be communicated to congress organizers and posted on our website.