Compliance & Trust

Privacy & Security Policy

VialSwift is committed to protecting the privacy of our clients, their patients, and every individual whose health information we handle. This policy explains how we collect, use, safeguard, and disclose information in full compliance with federal and Texas state law.

HIPAA Compliant BAA Available Texas DSHS Registered Effective July 1, 2026

1. Introduction

VialSwift LLC ("VialSwift," "we," "our," or "us") operates a HIPAA-compliant medical courier service in the Houston, Texas metropolitan area. We transport biological specimens, pharmaceutical products, medical supplies, and documents on behalf of healthcare providers, clinical laboratories, hospitals, home-care organizations, and specialty pharmacies (collectively, "Covered Entity clients").

As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164), VialSwift is legally obligated to safeguard any Protected Health Information (PHI) we create, receive, maintain, or transmit on behalf of our Covered Entity clients.

This Privacy & Security Policy applies to all VialSwift employees, contractors, couriers, and third-party vendors who access PHI or systems containing PHI. It also describes our practices regarding information collected through our website (vialswift.com) and client-facing tracking tools.

2

HIPAA Compliance & Protected Health Information

What Constitutes PHI in Our Operations

PHI includes any individually identifiable health information we encounter in the course of a delivery โ€” including patient names on specimen labels, requisition forms, medical record numbers, dates of service, diagnoses, or any combination of identifiers that could reasonably identify a patient. VialSwift couriers are trained to treat all materials handled as if they contain PHI.

Permitted Uses and Disclosures

VialSwift uses and discloses PHI solely as required to carry out the transportation services described in our service agreements and Business Associate Agreements. We do not sell PHI, use it for marketing purposes, or disclose it to any third party except:

  • โ†’ To subcontractors who are themselves bound by a written Business Associate Agreement
  • โ†’ As required by law (e.g., law enforcement, public health authorities)
  • โ†’ To avert a serious threat to health or safety
  • โ†’ As directed in writing by the originating Covered Entity

Minimum Necessary Standard

VialSwift applies the HIPAA Minimum Necessary standard to all PHI access. Couriers receive only the pickup/delivery information required to complete the assigned transport โ€” not the underlying clinical data. Dispatch staff access only what is operationally required. Administrative access to full chain-of-custody records is role-restricted and audited.

3

Business Associate Agreement (BAA)

Before VialSwift handles any PHI on behalf of a Covered Entity, both parties execute a Business Associate Agreement that meets the requirements of 45 CFR ยง164.504(e). Our standard BAA covers:

โœ“Permitted uses and disclosures of PHI

โœ“Safeguard obligations (administrative, physical, technical)

โœ“Reporting obligations for breaches and security incidents

โœ“Patient rights โ€” access and amendment support

โœ“Subcontractor BAA requirements

โœ“Term and termination with PHI return or destruction

โœ“HHS inspection rights

โœ“Indemnification provisions

Request a BAA

To request our standard BAA template or discuss custom terms, contact us at compliance@vialswift.com. We target a 2-business-day turnaround on BAA execution for new clients. Note: Our BAA template is reviewed by healthcare counsel; material changes require legal review and may extend the timeline.

4

Data Security Safeguards

VialSwift implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) and follows NIST SP 800-66 guidance for healthcare organizations.

๐Ÿ› Administrative Safeguards

  • โ†’ Designated Privacy Officer and Security Officer roles
  • โ†’ Mandatory annual HIPAA training for all staff โ€” including couriers
  • โ†’ Background checks required for all employees handling PHI
  • โ†’ Role-based access controls: access limited to job function
  • โ†’ Security risk analysis conducted at least annually and after material system changes
  • โ†’ Sanctions policy for workforce HIPAA violations
  • โ†’ Contingency and disaster recovery plan in place

๐Ÿ”’ Physical Safeguards

  • โ†’ Temperature-controlled, tamper-evident transport containers for all specimens
  • โ†’ Locked vehicle storage โ€” PHI-containing materials never left unattended in vehicles
  • โ†’ No PHI stored on personal mobile devices โ€” company-issued devices only
  • โ†’ Secure document destruction (NAID-certified shredding) for any printed PHI
  • โ†’ Office access badge-controlled with visitor log
  • โ†’ Workstation use policies โ€” screens locked when unattended

๐Ÿ›ก Technical Safeguards

  • โ†’ AES-256 encryption at rest for all electronic PHI (ePHI)
  • โ†’ TLS 1.3 encryption in transit for all data transmissions
  • โ†’ Multi-factor authentication (MFA) required for all system access
  • โ†’ Audit logs maintained for all ePHI access and modifications โ€” retained 6 years
  • โ†’ Automatic session timeouts on all platforms
  • โ†’ GPS and dispatch systems hosted on HIPAA-eligible cloud infrastructure
  • โ†’ Penetration testing and vulnerability scans conducted annually
  • โ†’ Client tracking portal: read-only access with unique secure tokens per client
5

Chain-of-Custody Protocols

Maintaining an unbroken, auditable chain of custody is fundamental to specimen integrity and legal defensibility. Every VialSwift transport follows a documented custody protocol from pickup to delivery confirmation.

1

Pickup Authorization

Courier verifies identity of releasing party and confirms specimen manifest. Electronic signature captured.

2

Seal & Log

Specimens placed in tamper-evident, temperature-appropriate packaging. Barcode scanned into dispatch system. Temperature baseline recorded.

3

In-Transit Monitoring

Real-time GPS location broadcast. Temperature sensors log readings every 5 minutes. Any excursion triggers immediate courier alert and client notification.

4

Transfer of Custody

Any hand-off between couriers (e.g., relay routes) is documented with time, location, courier IDs, and electronic signatures from both parties.

5

Delivery Confirmation

Receiving party identity verified. Specimens inspected for seal integrity and temperature compliance. Electronic delivery receipt generated and transmitted to originating client within 60 seconds.

6

Record Retention

All chain-of-custody records, temperature logs, GPS traces, and delivery receipts retained for a minimum of 7 years (or as required by client contract) in encrypted storage.

Temperature Excursion Policy

If a temperature excursion is detected during transport, the courier is immediately notified, the specimen is quarantined, and the originating client lab director or designated contact is called within 15 minutes. A written excursion report is provided within 24 hours. The decision to accept, retest, or recollect the specimen rests with the client.

6

Website & Communications Privacy

Information We Collect on This Website

Our website does not collect PHI. We may collect the following non-PHI data:

  • โ†’Contact inquiries: Name, company, email, phone number, and message content submitted via our contact form or email. Used solely to respond to your inquiry.
  • โ†’Job applications: Resume and contact information submitted to careers@vialswift.com. Retained for up to 12 months unless you request deletion.
  • โ†’Analytics: Anonymized usage data (pages visited, referral source, browser type) via privacy-respecting analytics. No cross-site tracking or personal profiling.
  • โ†’Tracking portal: Tracking numbers entered in our /track tool are logged to facilitate the lookup. Logs are purged after 90 days.

Email Communications

Business-related email communications between VialSwift and Covered Entity clients are treated as potentially containing PHI and are handled under the security controls described in Section 4. We do not send PHI via standard unencrypted email without explicit written authorization from the Covered Entity.

Cookies

This website uses only essential functional cookies required to operate the tracking portal and contact forms. We do not use advertising cookies, third-party tracking pixels, or social media retargeting tags.

7

Breach Notification & Incident Response

VialSwift maintains a written Breach Notification Policy consistent with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and Texas Health & Safety Code ยง181.154.

Internal Response

โ‰ค 48 hours

Security Officer notified. Incident contained and documented. Forensic review initiated.

Covered Entity Notification

โ‰ค 60 days

Affected Covered Entity clients notified with incident description, PHI involved, and corrective actions.

HHS / State Notification

Per regulatory timeline

HHS Office for Civil Rights and Texas HHS notified per applicable thresholds and timelines.

To report a suspected security incident or privacy violation involving VialSwift, contact our Security Officer immediately at security@vialswift.com or call (713) 000-0000. Reports may also be made anonymously.

8

Texas State Privacy Laws

In addition to federal HIPAA requirements, VialSwift complies with applicable Texas state privacy laws:

  • โ†’Texas Health & Safety Code Chapter 181 (Texas Medical Records Privacy Act) โ€” We comply with all requirements for handling protected health information under Texas law, which in some areas is more stringent than federal HIPAA.
  • โ†’Texas Business & Commerce Code ยง521 โ€” We maintain a data security program to protect sensitive personal information of Texas residents from unauthorized access.
  • โ†’Texas Data Privacy and Security Act (TDPSA) โ€” For any consumer personal data we collect through our website or operations, we honor applicable rights including access, correction, and deletion requests.
9

Your Rights

As a Business Associate, VialSwift supports Covered Entity clients in honoring their patients' HIPAA rights. If you are a patient with questions about your health information, please contact your healthcare provider (clinic, lab, or hospital) directly โ€” they are the Covered Entity responsible for your Notice of Privacy Practices.

For non-PHI personal data collected through our website (contact inquiries, job applications, analytics), you may:

  • โ†’ Request a copy of the personal data we hold about you
  • โ†’ Request correction of inaccurate data
  • โ†’ Request deletion of your data (subject to legal retention obligations)
  • โ†’ Opt out of any future marketing communications

Submit requests to privacy@vialswift.com. We respond within 30 days.

10

Policy Updates

VialSwift reviews this Privacy & Security Policy at least annually and following any material change in our operations, systems, or applicable law. We will notify Covered Entity clients of material changes at least 30 days before the effective date via email to the designated compliance contact on file. The current effective date is displayed in the header of this page. Continued use of our services after the effective date constitutes acceptance of the revised policy.

11

Contact Our Privacy & Compliance Team

Privacy Officer

privacy@vialswift.com

Data rights, policy questions

Compliance / BAA

compliance@vialswift.com

BAA requests, HIPAA inquiries

Security Incidents

security@vialswift.com

Breach reports, security concerns

Mailing address: VialSwift LLC, Houston, TX 77030  |  Effective date: July 1, 2026  |  Next review: July 1, 2027

Legal Notice: This Privacy & Security Policy is provided for informational purposes and reflects VialSwift's current practices and intentions. It does not constitute legal advice. The BAA referenced in Section 3 is the governing legal document between VialSwift and each Covered Entity client. Nothing in this policy creates or modifies any contractual rights. HIPAA compliance obligations for Covered Entities remain with those entities; VialSwift's obligations as a Business Associate are governed by applicable law and the executed BAA.

Ready to work with a compliant courier?

BAA included. HIPAA-trained drivers. Houston TX same-day & STAT service.