HIPAA & Your Data

Effective: May 15, 2026

Who this page is for. Medical aesthetics practices considering Obris Launch or Obris Vigilance. It explains how HIPAA applies to working with Obris Launch and what protections are in place.

Obris Launch’s role under HIPAA

HIPAA defines two types of organizations that handle health information: covered entities and business associates.

A covered entity is a medical practice, hospital, or health plan that directly creates and maintains patient health records. If you operate a medi-spa, plastic surgery practice, or aesthetic clinic, your practice is likely a covered entity. You are required to publish a Notice of Privacy Practices for your patients — Obris Launch generates that document for your site as part of the Launch onboarding process.

A business associate is a vendor that performs services on behalf of a covered entity and, in doing so, may access Protected Health Information (PHI). Obris Launch is a business associate. We do not treat patients, bill insurance, or maintain clinical records. But when we build and manage a practice’s marketing infrastructure, there are moments where PHI could be present — a contact form submission, an appointment reminder list, an email campaign to an existing patient base.

Because of that potential PHI exposure, HIPAA requires a written Business Associate Agreement (BAA) between the practice and any business associate.

The Business Associate Agreement

Before Obris Launch handles any data that could contain PHI, we execute a signed BAA with the practice. The BAA:

Defines what PHI Obris Launch may access and for what purpose (solely to deliver the contracted services)
Requires Obris Launch to use appropriate safeguards to protect the PHI
Prohibits Obris Launch from using or disclosing PHI for any purpose other than the contracted services
Requires Obris Launch to report any breach of unsecured PHI to the practice
Requires Obris Launch to flow BAA obligations down to any subcontractor that touches PHI on behalf of the practice
Requires Obris Launch to return or destroy PHI when the engagement ends

The BAA is a Day-1 document in the Obris Launch onboarding process. It is not optional. If a practice is not ready to sign a BAA, we cannot proceed with services that touch patient data.

What Obris Launch does and does not do with PHI

Obris Launch does:

Execute a BAA with every client practice before any PHI-adjacent work begins
Use only BAA-covered technology providers for services that may touch PHI
Apply content review standards to catch PHI before it appears in marketing materials
Notify the practice promptly if a potential PHI breach is identified

Obris Launch does not:

Store PHI on obris.co infrastructure
Use patient health information for any purpose other than delivering your contracted services
Share PHI with any third party not covered by a BAA
Market to patients directly — that is always the practice’s relationship

Your Notice of Privacy Practices

Your practice — not Obris Launch — is the covered entity required to publish a Notice of Privacy Practices for patients under 45 CFR § 164.520. This document tells patients how their PHI may be used and disclosed.

Obris Launch generates a HIPAA-compliant Notice of Privacy Practices as part of every client site build. It is populated with your practice’s specific information (name, address, privacy officer contact, effective date) and linked from the footer of every page of your site on Day 1. Your practice’s legal counsel or compliance officer should review it before the site goes live.

Questions

For HIPAA and compliance questions about working with Obris Launch:

Email: hello@obris.co
Mail: Obris Launch, 2524 N Broadway, Suite 583, Edmond, OK 73034

This page does not constitute legal advice. Practices should work with qualified healthcare counsel to confirm HIPAA compliance posture.