Privacy & Security Policy
VialSwift is committed to protecting the privacy of our clients, their patients, and every individual whose health information we handle. This policy explains how we collect, use, safeguard, and disclose information in full compliance with federal and Texas state law.
1. Introduction
VialSwift LLC ("VialSwift," "we," "our," or "us") operates a HIPAA-compliant medical courier service in the Houston, Texas metropolitan area. We transport biological specimens, pharmaceutical products, medical supplies, and documents on behalf of healthcare providers, clinical laboratories, hospitals, home-care organizations, and specialty pharmacies (collectively, "Covered Entity clients").
As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164), VialSwift is legally obligated to safeguard any Protected Health Information (PHI) we create, receive, maintain, or transmit on behalf of our Covered Entity clients.
This Privacy & Security Policy applies to all VialSwift employees, contractors, couriers, and third-party vendors who access PHI or systems containing PHI. It also describes our practices regarding information collected through our website (vialswift.com) and client-facing tracking tools.
HIPAA Compliance & Protected Health Information
What Constitutes PHI in Our Operations
PHI includes any individually identifiable health information we encounter in the course of a delivery โ including patient names on specimen labels, requisition forms, medical record numbers, dates of service, diagnoses, or any combination of identifiers that could reasonably identify a patient. VialSwift couriers are trained to treat all materials handled as if they contain PHI.
Permitted Uses and Disclosures
VialSwift uses and discloses PHI solely as required to carry out the transportation services described in our service agreements and Business Associate Agreements. We do not sell PHI, use it for marketing purposes, or disclose it to any third party except:
- โ To subcontractors who are themselves bound by a written Business Associate Agreement
- โ As required by law (e.g., law enforcement, public health authorities)
- โ To avert a serious threat to health or safety
- โ As directed in writing by the originating Covered Entity
Minimum Necessary Standard
VialSwift applies the HIPAA Minimum Necessary standard to all PHI access. Couriers receive only the pickup/delivery information required to complete the assigned transport โ not the underlying clinical data. Dispatch staff access only what is operationally required. Administrative access to full chain-of-custody records is role-restricted and audited.
Business Associate Agreement (BAA)
Before VialSwift handles any PHI on behalf of a Covered Entity, both parties execute a Business Associate Agreement that meets the requirements of 45 CFR ยง164.504(e). Our standard BAA covers:
โPermitted uses and disclosures of PHI
โSafeguard obligations (administrative, physical, technical)
โReporting obligations for breaches and security incidents
โPatient rights โ access and amendment support
โSubcontractor BAA requirements
โTerm and termination with PHI return or destruction
โHHS inspection rights
โIndemnification provisions
Request a BAA
To request our standard BAA template or discuss custom terms, contact us at compliance@vialswift.com. We target a 2-business-day turnaround on BAA execution for new clients. Note: Our BAA template is reviewed by healthcare counsel; material changes require legal review and may extend the timeline.
Data Security Safeguards
VialSwift implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) and follows NIST SP 800-66 guidance for healthcare organizations.
๐ Administrative Safeguards
- โ Designated Privacy Officer and Security Officer roles
- โ Mandatory annual HIPAA training for all staff โ including couriers
- โ Background checks required for all employees handling PHI
- โ Role-based access controls: access limited to job function
- โ Security risk analysis conducted at least annually and after material system changes
- โ Sanctions policy for workforce HIPAA violations
- โ Contingency and disaster recovery plan in place
๐ Physical Safeguards
- โ Temperature-controlled, tamper-evident transport containers for all specimens
- โ Locked vehicle storage โ PHI-containing materials never left unattended in vehicles
- โ No PHI stored on personal mobile devices โ company-issued devices only
- โ Secure document destruction (NAID-certified shredding) for any printed PHI
- โ Office access badge-controlled with visitor log
- โ Workstation use policies โ screens locked when unattended
๐ก Technical Safeguards
- โ AES-256 encryption at rest for all electronic PHI (ePHI)
- โ TLS 1.3 encryption in transit for all data transmissions
- โ Multi-factor authentication (MFA) required for all system access
- โ Audit logs maintained for all ePHI access and modifications โ retained 6 years
- โ Automatic session timeouts on all platforms
- โ GPS and dispatch systems hosted on HIPAA-eligible cloud infrastructure
- โ Penetration testing and vulnerability scans conducted annually
- โ Client tracking portal: read-only access with unique secure tokens per client
Chain-of-Custody Protocols
Maintaining an unbroken, auditable chain of custody is fundamental to specimen integrity and legal defensibility. Every VialSwift transport follows a documented custody protocol from pickup to delivery confirmation.
Pickup Authorization
Courier verifies identity of releasing party and confirms specimen manifest. Electronic signature captured.
Seal & Log
Specimens placed in tamper-evident, temperature-appropriate packaging. Barcode scanned into dispatch system. Temperature baseline recorded.
In-Transit Monitoring
Real-time GPS location broadcast. Temperature sensors log readings every 5 minutes. Any excursion triggers immediate courier alert and client notification.
Transfer of Custody
Any hand-off between couriers (e.g., relay routes) is documented with time, location, courier IDs, and electronic signatures from both parties.
Delivery Confirmation
Receiving party identity verified. Specimens inspected for seal integrity and temperature compliance. Electronic delivery receipt generated and transmitted to originating client within 60 seconds.
Record Retention
All chain-of-custody records, temperature logs, GPS traces, and delivery receipts retained for a minimum of 7 years (or as required by client contract) in encrypted storage.
Temperature Excursion Policy
If a temperature excursion is detected during transport, the courier is immediately notified, the specimen is quarantined, and the originating client lab director or designated contact is called within 15 minutes. A written excursion report is provided within 24 hours. The decision to accept, retest, or recollect the specimen rests with the client.
Website & Communications Privacy
Information We Collect on This Website
Our website does not collect PHI. We may collect the following non-PHI data:
- โContact inquiries: Name, company, email, phone number, and message content submitted via our contact form or email. Used solely to respond to your inquiry.
- โJob applications: Resume and contact information submitted to careers@vialswift.com. Retained for up to 12 months unless you request deletion.
- โAnalytics: Anonymized usage data (pages visited, referral source, browser type) via privacy-respecting analytics. No cross-site tracking or personal profiling.
- โTracking portal: Tracking numbers entered in our /track tool are logged to facilitate the lookup. Logs are purged after 90 days.
Email Communications
Business-related email communications between VialSwift and Covered Entity clients are treated as potentially containing PHI and are handled under the security controls described in Section 4. We do not send PHI via standard unencrypted email without explicit written authorization from the Covered Entity.
Cookies
This website uses only essential functional cookies required to operate the tracking portal and contact forms. We do not use advertising cookies, third-party tracking pixels, or social media retargeting tags.
Breach Notification & Incident Response
VialSwift maintains a written Breach Notification Policy consistent with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and Texas Health & Safety Code ยง181.154.
Internal Response
โค 48 hours
Security Officer notified. Incident contained and documented. Forensic review initiated.
Covered Entity Notification
โค 60 days
Affected Covered Entity clients notified with incident description, PHI involved, and corrective actions.
HHS / State Notification
Per regulatory timeline
HHS Office for Civil Rights and Texas HHS notified per applicable thresholds and timelines.
To report a suspected security incident or privacy violation involving VialSwift, contact our Security Officer immediately at security@vialswift.com or call (713) 000-0000. Reports may also be made anonymously.
Texas State Privacy Laws
In addition to federal HIPAA requirements, VialSwift complies with applicable Texas state privacy laws:
- โTexas Health & Safety Code Chapter 181 (Texas Medical Records Privacy Act) โ We comply with all requirements for handling protected health information under Texas law, which in some areas is more stringent than federal HIPAA.
- โTexas Business & Commerce Code ยง521 โ We maintain a data security program to protect sensitive personal information of Texas residents from unauthorized access.
- โTexas Data Privacy and Security Act (TDPSA) โ For any consumer personal data we collect through our website or operations, we honor applicable rights including access, correction, and deletion requests.
Your Rights
As a Business Associate, VialSwift supports Covered Entity clients in honoring their patients' HIPAA rights. If you are a patient with questions about your health information, please contact your healthcare provider (clinic, lab, or hospital) directly โ they are the Covered Entity responsible for your Notice of Privacy Practices.
For non-PHI personal data collected through our website (contact inquiries, job applications, analytics), you may:
- โ Request a copy of the personal data we hold about you
- โ Request correction of inaccurate data
- โ Request deletion of your data (subject to legal retention obligations)
- โ Opt out of any future marketing communications
Submit requests to privacy@vialswift.com. We respond within 30 days.
Policy Updates
VialSwift reviews this Privacy & Security Policy at least annually and following any material change in our operations, systems, or applicable law. We will notify Covered Entity clients of material changes at least 30 days before the effective date via email to the designated compliance contact on file. The current effective date is displayed in the header of this page. Continued use of our services after the effective date constitutes acceptance of the revised policy.
Contact Our Privacy & Compliance Team
Mailing address: VialSwift LLC, Houston, TX 77030 | Effective date: July 1, 2026 | Next review: July 1, 2027
Ready to work with a compliant courier?
BAA included. HIPAA-trained drivers. Houston TX same-day & STAT service.