HIPAA / Security

Model Rewards is built for cash-based aesthetic practices that want loyalty and referral marketing without creating staff burden—and with the security expectations that come with healthcare data.

This page is a high-level overview of our privacy and security approach. Detailed security documentation (and a signed Business Associate Agreement, where applicable) is available during procurement and onboarding.

Last updated: February 9, 2026.

HIPAA status

Depending on your configuration and integration (including Nextech-connected workflows), Model Rewards may create, receive, maintain, or transmit electronic protected health information (ePHI) on behalf of a covered entity. In those cases, Model Rewards operates as a Business Associate and supports your compliance program accordingly.

Business Associate Agreement

HIPAA requires covered entities to obtain “satisfactory assurances” in writing from business associates—typically through a Business Associate Agreement (BAA).

How we handle this:
We execute a BAA via DocuSign as part of onboarding and can provide it upon request.

HIPAA Security Rule alignment

The HIPAA Security Rule establishes standards to protect health information maintained or transmitted electronically and is organized around administrative, physical, and technical safeguards.

Below is an overview of how our program is designed to map to those safeguard categories.

Administrative safeguards

Administrative safeguards are the policies, procedures, and ongoing management activities that support security—often starting with risk analysis and risk management.

Our administrative safeguard approach includes:

  • Security management process with ongoing risk review and remediation planning

  • Workforce access controls based on job role (least-privilege access)

  • Security awareness and operational procedures to reduce human risk

  • Contingency planning to support availability and recovery

(If you need specific artifacts—like policy summaries, incident response overview, or a security questionnaire—we can provide those during due diligence.)

Physical safeguards

Physical safeguards address the protection of systems and equipment from natural/environmental hazards and unauthorized physical intrusion.

Our physical safeguard approach includes:

  • Controls intended to restrict physical access to systems that may store or process ePHI

  • Policies and procedures aligned to device and media controls where applicable (e.g., secure disposal and handling)

Technical safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it. HIPAA includes requirements around access control, audit controls, integrity, and transmission security; encryption is addressed as an “addressable” specification under transmission security.

Our technical safeguard approach includes:

  • Access controls designed to support unique user identification and role-based permissions

  • Auditability designed to support activity review and traceability

  • Integrity controls intended to help prevent improper alteration or destruction of data

  • Transmission security for data sent over electronic communications networks

Data handling principles

We follow healthcare-aligned data protection principles, including:

  • Using data only to provide and improve the service you request

  • Minimizing access to production data and limiting it to authorized personnel with a business need

  • Supporting secure deletion/return of data in alignment with contractual terms

If you need a list of subprocessors (vendors that may process data on our behalf) or a written data flow overview, we can provide that during procurement.

Security incident and breach notification

If we become aware of a breach of unsecured PHI, HIPAA requires a business associate to notify the covered entity without unreasonable delay and in no case later than 60 calendar days after discovery (subject to limited exceptions, such as certain law enforcement delays).

Our incident response process is designed to support:

  • Rapid containment and investigation

  • Customer notification aligned to HIPAA requirements

  • Documentation appropriate for covered entity compliance workflows

Your responsibilities (shared security model)

Security is a shared responsibility. To help protect your patients and your practice, you should:

  • Restrict access to your Nextech/EHR and Model Rewards admin accounts to authorized staff only

  • Use strong authentication practices and remove access promptly when roles change

  • Follow your internal HIPAA policies for workforce training and device security

Request documentation / contact

For vendor due diligence, we can provide (as appropriate):

  • Executed BAA (DocuSign)

  • Security overview and questionnaire responses

  • Subprocessor list

  • Incident response summary

Contact: hello@modelrewards.com or use the contact form on our website.