The Health Insurance Portability and Accountability Act (HIPAA) is a US law that covers the electronic transfer and retention of personal medical information.

Envoy is not currently compliant with HIPAA. As such, you shouldn't use Envoy to store sensitive medical data. Read our terms and conditions for more details. For the most up-to-date information from the U.S Department of Health and Human Services click here.

Envoy does not enter into Business Associate Agreements (BAAs) with HIPAA-covered entities or HIPAA Business Associates (BAs). Therefore, we cannot do business with HIPAA-covered entities or BAs if they would be sending any PHI, including patients’ names. Health information gleaned from employees at non-HIPAA-covered entities and non-BAs is not regulated by HIPAA.

Your data is yours. All of your visitor data is stored indefinitely while you’re an Envoy customer. We only delete or purge data upon explicit request.

If you choose to end your subscription, Envoy will maintain your data for 30 days after cancellation and will thereafter delete or destroy your data. For more information on this part of our policy, see our Terms of Service.

Responses to Health and Safety employee screening questions will be transmitted over secure channels to Envoy’s servers for processing and removed no more than 24 hours later—we do not retain employee responses to the screening questions unless the Global admin uses our Managing response options feature to specifically retain certain answers. See more here.

​