Is Phreesia HIPAA compliant? (2026 update)

Phreesia is a healthcare software company that automates patient check-in and other administrative functions for healthcare organizations, including intake, scheduling, payments, screening, and related workflows. Phreesia’s public materials describe it as software used by healthcare organizations for patient check-in and administrative tasks.

With Phreesia, healthcare organizations can use a web-based check-in platform and related tools to collect patient information and move data into provider workflows. Based on Phreesia’s current public privacy materials, Phreesia can be HIPAA compliant for provider-facing uses because it says it acts as a business associate for healthcare providers and enters into business associate agreements with them.

Is Phreesia HIPAA compliant? Yes, Phreesia can be HIPAA compliant, but there are limitations.

What changed this year?

As of March 2026, Phreesia’s public policies still say it enters into BAAs with healthcare providers, and its website privacy policy was last updated on December 31, 2025. HHS has ongoing HIPAA rule activity, but we did not identify a public policy change that changes the core BAA-based analysis for this article.

Will Phreesia sign a business associate agreement BAA?

Yes, Phreesia will sign a business associate agreement. Its privacy policy says that when it works for healthcare providers and receives individually identifiable health information on their behalf, it acts as a business associate, and it says it enters into BAAs with those providers. You can review that statement in Phreesia’s privacy policy here.

What does the Phreesia BAA cover?

Phreesia expressly says it enters into BAAs that require it to safeguard patients’ protected health information (PHI) in accordance with HIPAA, and its HIPAA privacy statement says it is subject to all applicable HIPAA privacy and security requirements.

What does the Phreesia BAA exclude?

Phreesia’s consumer health data policy says HIPAA-regulated PHI gathered by its HIPAA-regulated products is “not covered by this Consumer Health Data Privacy Policy.” That same policy explains that, if a user signs an optional HIPAA authorization, Phreesia may collect health-related data to show personalized health-related materials and measure content effectiveness.

That means Phreesia’s HIPAA story is not one-size-fits-all. Phreesia can be HIPAA compliant for covered provider-facing services under a BAA, but a healthcare organization should still confirm which products, workflows, website interactions, and optional authorization-based features are actually inside the BAA’s scope.

Conclusion

Phreesia can be HIPAA compliant, but only for covered uses that fall within its business associate relationship with a healthcare provider.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of the agreement is to help ensure the proper protection of protected health information as required by HIPAA.

What is HIPAA?

HIPAA sets national standards for protecting the privacy and security of certain health information. HIPAA is designed to protect health information and support secure exchange of electronic health information, and violations can lead to significant penalties for regulated entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates that perform certain functions or activities on behalf of covered entities involving PHI.