Phreesia Logo

We take privacy seriously

At Phreesia, we're committed to patient privacy and keeping health information secure.

We are fully committed to the privacy and security of our users' data. Our administrative, technical, and physical safeguards are designed to secure and protect protected health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPAA), Phreesia is defined as a “business associate,” which is an individual or entity that is not a member of the “covered entity's” (i.e., the healthcare provider's) workforce and performs certain functions involving the use or disclosure of protected health information (PHI) on behalf of the covered entity. As a business associate, Phreesia is subject to, and committed to, all applicable HIPAA privacy and security requirements.

Phreesia's Provider clients can configure and direct intake tools on the Phreesia Platform to collect their patients' information. Phreesia may collect other information and request certain permissions from Provider clients to ensure our products and services are functioning and for other permissible purposes.

If an individual signs an optional Authorization to receive additional health-related materials from Phreesia, Phreesia continues to protect the individual's personal data under our Platform Privacy Policy.

Phreesia's privacy and security procedures

Phreesia's privacy and security procedures include the following safeguards:

  • PHI is secured through password protection and can only be accessed by authorized users within the healthcare practice.
  • PHI is firewall-protected and under electronic surveillance 24 hours a day, seven days a week.
  • PHI is never stored on PhreesiaPads or Arrivals kiosks, so if either device is lost or stolen, no PHI will be compromised.
  • PHI transmitted between the Phreesia platform and Phreesia's data centers is protected using industry-standard TLS (256-bit AES keys).
  • PhreesiaPads and Arrivals kiosks are configured from the factory to use WPA2 encryption and the AES algorithm.
  • Patient data is stored in a highly-secured data center, protected by multi-layer protocols. This means:
    • The servers that house the data are stored in a secured building with multiple layers of physical security.
    • At the network level, these servers are placed in a secure subnet protected by firewalls.
    • Front-end servers and database servers are on physically different networks and have limited connectivity.
    • The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
    • Within the database server, data is stored in an encrypted form.
    • Patient data is stored using AES encryption with a key size of 256 bits.

Phreesia is HITRUST-certified, SOC 2-certified, and PCI Level 1-compliant. Phreesia also is listed on the most current lists of PCI Level 1 service providers for both Visa and Mastercard.


If you have any questions, comments, or concerns about Phreesia's privacy processes, please contact us by email at