FMSLio

HIPAA Notice

Last updated: May 20, 2026

Overview

FMSLio is HIPAA-aware software designed for California FMS providers operating in the Self-Determination Program. This notice describes how FMSLio handles Protected Health Information (PHI), the security controls we apply, and the responsibilities customers retain.

When a BAA is required

Customers whose use of FMSLio involves PHI must execute a Business Associate Agreement (BAA) before sending PHI to the platform. See the BAA page for how to request one.

Security practices

FMSLio applies the following technical controls:

  • Encryption at rest. PHI fields are encrypted using AES-256-GCM with keys held in a managed key store, separate from the application tier.
  • Encryption in transit. All client and inter-service traffic uses TLS 1.2 or higher.
  • Row-level security. Database access is scoped by tenant via row-level security policies; cross-organization data access is prevented at the database layer, not just the application layer.
  • Audit logging. Privileged actions and PHI access are logged with actor identity, timestamp, and resource targeted. Audit logs are append-only and retained per the retention schedule in your BAA.
  • Workforce access. Internal access to customer data follows least-privilege principles and requires documented justification.

PHI in transit and at rest

PHI in FMSLio includes participant identifiers, service records, medical-related notes, and any other data protected under HIPAA. We minimize storage of PHI to what's necessary to operate the service, segregate it from non-PHI metadata where practical, and apply the encryption controls above throughout.

Customer responsibilities

A signed BAA does not transfer Covered Entity responsibilities to FMSLio. Customers remain responsible for:

  • Determining what data constitutes PHI within their program
  • Configuring FMSLio access controls (roles, permissions, password policies, MFA enrollment)
  • Training their workforce on PHI handling
  • Following breach-notification obligations under HIPAA if a Customer-side breach occurs
  • Following any additional state-law privacy requirements (e.g., CCPA / CPRA for California residents)

Subprocessors

FMSLio uses a small set of subprocessors to operate the platform (hosting, monitoring, email, payment processing). A current list is available on request to contact@fmslio.com.

This notice is not the BAA

This page summarizes FMSLio's HIPAA-aware practices. It is not a substitute for the BAA itself. Customers handling PHI through FMSLio must execute a BAA. See the BAA page for the request process.

Contact

HIPAA-related questions: contact@fmslio.com.