Mend can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate executes a HIPAA Business Associate agreement with Mend, limits use to the services and configurations covered by that agreement, and implements administrative, physical, and technical safeguards for electronic protected health information under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
A telehealth and patient engagement platform can create, receive, maintain, or transmit electronic protected health information through scheduling data, appointment links, patient demographic fields, intake content, chat, reminders, and video visit metadata. HIPAA compliance depends on the regulated entity’s risk analysis and risk management decisions, the platform configuration, and the organization’s procedures for workforce access, patient verification, and incident response. A platform designation or feature list does not replace the regulated entity’s obligation to control disclosures and limit access to authorized users.
Mend presents its telehealth positioning as aligned with regulated use and includes security-oriented statements about the telehealth session itself, including the statement, “An encrypted video feed is a must to keep telehealth visits secure.” Encryption in transit supports confidentiality, but HIPAA compliance also depends on identity and access management, account provisioning, authentication controls, session management, device security, and governance of patient facing links to limit unauthorized entry.
Mend indicates willingness to enter into a HIPAA Business Associate agreement for customers using the service for regulated workflows. The agreement scope should be reviewed to confirm which Mend products, features, integrations, support channels, and subcontractor relationships are included. Protected health information should be restricted from features or connected services that are outside the agreement scope, including any optional analytics or messaging pathways that are not covered.
Operational controls remain with the regulated entity. Policies should address permitted uses, patient consent workflows where applicable, retention of visit artifacts, handling of screenshots and recordings, and staff procedures for conducting visits in private locations. Technical controls should include role-based access, unique user identification, secure configuration, audit capability where available, and routine review of configuration changes that affect how electronic protected health information is transmitted or stored.