HIPAA Compliance

Your Patient Data Never Leaves Your Practice

Most practice management add-ons upload your patient data to someone else's cloud. refract.ing does the opposite.

refract.ing installs directly on your practice's own Windows server — the same server that runs your OfficeMate (Eyefinity) SQL database. All patient data processing happens locally, inside your firewall, on hardware you control.

• Runs on the practice's own Windows server (or a server the practice controls)
• Connects directly to the on-premises OfficeMate SQL Server database
• Uses OfficeMate's native SDK stored procedures — read-only access only
• No patient data is uploaded to, stored in, or routed through any cloud service
• All data processing happens locally, inside the practice's own network perimeter

Business Associate Agreements

refract.ing provides a Business Associate Agreement (BAA) to every practice before any patient-communication features are enabled. This is not optional — we require it.

• BAAs are executed before activation of any feature that touches PHI
• Third-party vendors used for patient outreach (SMS and email delivery) also maintain signed BAAs with refract.ing
• BAA terms cover data handling responsibilities, breach notification, and permitted uses of PHI

To request a BAA, email dr@refract.ing. We typically execute within 48 hours.

Technical Safeguards

Encryption

All data in transit between system components is encrypted using TLS 1.2 or higher. Database connections to OfficeMate use SQL Server's native encryption capabilities.

Access Controls

• Role-based access controls restrict system functions to authorized personnel
• Database access is read-only through OfficeMate's SDK — refract.ing cannot modify patient records
• Administrative functions require authenticated access with unique credentials

Audit Logging

Every system action is logged with timestamps, user identification, and action details. Audit logs are stored locally and available for review during compliance assessments.

Network Isolation

• The marketing website at www.refract.ing handles zero patient data
• No PHI is stored in or transmitted through any cloud service
• The on-premises installation operates entirely within the practice's existing network security perimeter

Security Assessments

refract.ing undergoes regular security assessments of its codebase, dependencies, and deployment procedures. Identified vulnerabilities are remediated before release.

Administrative Safeguards

• Staff training protocols for PHI handling and system access
• Documented incident response procedures for security events
• Regular review of access permissions and system configurations
• Breach notification commitment: practices are notified within 72 hours per HIPAA requirements

About This Website

It is important to distinguish between the refract.ing marketing website (what you are reading now) and the refract.ing product (the on-premises software installed in practices).

This Website Does Not Process PHI

• The marketing website at www.refract.ing does not collect, store, or process protected health information
• Form submissions on this site collect business contact information only — name, email, phone number, and practice name
• Business contact information is not PHI and is governed by our Privacy Policy, not HIPAA

HIPAA Applies to the On-Premises Product

The HIPAA compliance measures described on this page apply to the refract.ing software installed on practice servers — the system that connects to OfficeMate and processes patient data locally. The marketing website and the clinical product are completely separate systems with no shared data.