🎉

Request received!

Our team will reach out to within 1 business day to schedule your demo.

🎬 Live Demo

See TCS Platform in action

A personalized 30-45 min walkthrough tailored to your program.

We respond within 1 business day

Legal

HIPAA Policy

Last updated: May 2026  ·  Effective: May 2026

Notice: TCS Platform operates as a Business Associate under HIPAA when Protected Health Information (PHI) is involved. We sign Business Associate Agreements (BAAs) with covered entities on request. Contact legal@osceapp.com to request a BAA.

1. Scope of HIPAA Coverage

The Health Insurance Portability and Accountability Act (HIPAA) applies to TCS Platform when it is used in contexts that involve Protected Health Information (PHI). This may occur when:

  • A covered entity (such as a teaching hospital or healthcare system) uses TCS Platform to manage clinical education activities that involve or reference real patient data.
  • Healthcare professional learners interact with PHI as part of their training within the platform.
  • An institution's use of TCS Platform is classified as a business associate relationship under 45 C.F.R. Parts 160 and 164.

In cases where TCS Platform is used purely for standardized patient simulation with fictional identities and no real patient data, HIPAA obligations may not apply. Institutions should consult their compliance officers to determine applicability.

2. Business Associate Agreements

When TCS Platform functions as a Business Associate, we are required by HIPAA to enter into a Business Associate Agreement (BAA) with the covered entity or business associate engaging our services.

  • ECC, Inc. DBA Training Centre Solutions will execute a BAA with any covered entity or business associate that requires one.
  • To request a BAA, contact us at legal@osceapp.com.
  • We will not begin processing PHI on behalf of an institution until a fully executed BAA is in place.
  • Our standard BAA is available for review before execution. Custom BAA language may be accommodated subject to legal review.

3. PHI Safeguards

We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic PHI (ePHI).

  • Technical safeguards: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Access controls and audit logging are enforced at the application and database layers.
  • Physical safeguards: Servers are hosted in SOC 2-certified data centers with restricted physical access, environmental controls, and redundant power and network connectivity.
  • Administrative safeguards: We maintain HIPAA policies and procedures, conduct periodic risk assessments, and train workforce members who may encounter PHI on their obligations under HIPAA.

4. Minimum Necessary Standard

Consistent with the HIPAA Privacy Rule's minimum necessary standard, TCS Platform is designed to expose only the PHI that is required for the specific educational session or assessment activity being conducted. Role-based access controls ensure that users see only the data relevant to their function. Facilitators, students, and administrators are granted access scoped to their institutional role and specific session context.

5. Breach Notification

In the event of a breach of unsecured PHI, ECC, Inc. will:

  • Notify the affected covered entity or business associate within 72 hours of discovering the breach, consistent with the HIPAA Breach Notification Rule (45 C.F.R. § 164.410).
  • Provide the information required by HIPAA in the breach notification, including the nature of the PHI involved, the unauthorized persons who accessed it, and the steps taken to mitigate harm.
  • Cooperate fully with the covered entity's own breach notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS).

6. De-identification

TCS Platform is primarily designed for simulation-based clinical education using standardized patients with entirely fictional identities. Our guidance to all institutions is:

  • Standardized patient profiles should use fictional names, dates of birth, and clinical histories — never real patient data.
  • Real patient data should not be entered into TCS Platform under any circumstances unless a BAA is in place and the institution's compliance officer has approved the use case.
  • Where de-identified data is used for research or quality improvement, institutions are responsible for ensuring the data meets the de-identification standard under 45 C.F.R. § 164.514 before entry into the platform.

7. Training Requirements

ECC, Inc. recommends that all personnel at an institution who access TCS Platform in a context involving PHI complete HIPAA training appropriate to their role before being granted access. This training should cover the Privacy Rule, the Security Rule, and the institution's own HIPAA policies. TCS Platform does not itself provide HIPAA training, but we recommend that institutions use an accredited HIPAA training program and document completion records in accordance with the HIPAA administrative safeguard requirements (45 C.F.R. § 164.530(b)).

8. Contact for BAA Requests

To request a Business Associate Agreement, report a potential HIPAA concern, or ask questions about our HIPAA compliance posture, please contact:

ECC, Inc. DBA Training Centre Solutions
HIPAA Compliance: legal@osceapp.com

Privacy Policy FERPA Policy Terms of Service