Compliance
Last Updated: July 2, 2026
Quaspar operates in one of the most regulated environments in software: U.S. healthcare administration. This page summarizes the regulatory frameworks that govern our platform and how we address them.
HIPAA / HITECH
Quaspar operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We:
- Execute a Business Associate Agreement (BAA) with every customer before PHI is processed
- Comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) for all electronic PHI
- Follow the Privacy Rule's minimum-necessary standard
- Maintain breach notification procedures aligned with the Breach Notification Rule
- Flow HIPAA obligations down to every subcontractor that touches PHI
Details: HIPAA & Security · Business Associate Agreement
Healthcare Transaction Standards
Eligibility and prior authorization transactions exchanged with payers follow HIPAA-mandated ASC X12 EDI standards (including 270/271 eligibility transactions and the 278 prior authorization standard where supported), conducted through established, HIPAA-compliant clearinghouse partners.
Medicare and Payer Program Rules
Quaspar's rulesets incorporate publicly available payer medical policies and Medicare requirements, including Outpatient Department (OPD) prior authorization program rules published by CMS. Quaspar prepares documentation and requests for practice review; responsibility for the accuracy of submissions and compliance with payer program rules remains with the submitting practice, and payers retain sole authority over determinations.
State Privacy Laws
For personal information outside the scope of HIPAA, Quaspar complies with applicable U.S. state privacy laws, including the California Consumer Privacy Act (as amended) and comparable state consumer privacy statutes. See our Privacy Policy and Data Processing Addendum.
Payment Security
Payments are processed by PCI DSS–compliant third-party payment processors. Quaspar does not store full payment card numbers on its systems.
Certified Infrastructure
Quaspar's entire platform runs on independently certified, healthcare-grade infrastructure:
- Google Cloud Platform hosts our application backend. GCP maintains SOC 1, SOC 2 Type II, SOC 3, ISO 27001/27017/27018, and HITRUST CSF certifications, and Google Cloud signs Business Associate Agreements covering HIPAA workloads.
- Supabase provides our database and authentication layer. Supabase is SOC 2 Type II certified and offers HIPAA-compliant infrastructure under a Business Associate Agreement, with encryption at rest and in transit.
- Clearinghouse partners used for payer transactions are established, HIPAA-compliant EDI networks.
Quaspar inherits the physical, environmental, and infrastructure-level controls of these certified providers, and every vendor that handles PHI on our behalf is bound by a Business Associate Agreement. Quaspar is responsible for security at the application layer — access controls, encryption configuration, audit logging, and secure development — as described in our Security Overview.
Independent Assessment Roadmap
We are committed to independent verification of our own controls: a SOC 2 examination of Quaspar's application-layer controls is on our compliance roadmap. In the meantime, our security documentation, architecture overview, and completed security questionnaires are available to customers and prospects on request at support@quaspar.com.
Accessibility
We are committed to meeting WCAG 2.1 Level AA. See our Accessibility Statement.
Reporting Concerns
Compliance questions, security vulnerability reports, and privacy requests can all be sent to support@quaspar.com. We take every report seriously and investigate promptly.