Hold rider data legally — and prove who touched it.
Your trip manifests carry rider names, home addresses, mobility needs, and program affiliations. Under HIPAA that's protected health information (PHI) — and the moment it enters a vendor's system, that vendor becomes your Business Associate. Most fleet software has no answer for this. Motrix Cloud does: a full fleet platform and the compliance posture to hold rider data legally.
Rider PHI in a spreadsheet or a no-BAA app is a compliance problem waiting to happen
Paratransit operators are squeezed on privacy from every side: manifests live in spreadsheets, generic scheduling apps, or fleet tools with no Business Associate Agreement behind them. When someone asks "who accessed this rider's record?", there's no answer — and no vendor accountable for the data. Generic fleet platforms (Samsara, Verizon Connect, Motive, Fleetio) will not sign a BAA, which is exactly what HIPAA requires from any vendor that touches PHI.
The technical safeguards of the HIPAA Security Rule, on BAA-covered AWS
| Safeguard | What Motrix does |
|---|---|
| Business Associate Agreement | We sign a BAA with your agency. Most fleet vendors won't — we will. |
| Dedicated hosting | Single-tenant AWS (EC2 + RDS), isolated from other customers, covered by an executed AWS BAA. |
| Encryption everywhere | Encrypted at rest (AWS KMS / AES-256) and in transit (TLS 1.3, A+ grade). The database refuses unencrypted connections. |
| Mandatory two-factor auth | Every user, every role — because drivers see rider names and addresses on their manifests. |
| 6-year access audit log | Append-only record of who viewed, changed, or exported each rider record. The log references records by ID/code, so it never becomes its own leak. |
| Hardened by default | 15-minute automatic logoff, least-privilege database access, encrypted off-site backups the server itself cannot decrypt, and network isolation with no exposed admin ports. |
"Who touched this rider's record?" — answered on one screen
When your compliance officer, an auditor, or a rider's family asks who accessed a record, you open the Access Log and show them: every view, change, and export, for six years, tied to a user and a timestamp. That single capability is what no general-purpose fleet tool offers — and it's the first thing we show in a demo.
Hold PHI under a BAA — or hold no PHI at all
Not every agency wants rider identities in its fleet software. Motrix supports both models; we lead the conversation by asking which you prefer.
| Model | What it means | Best for |
|---|---|---|
| HIPAA Tier | Hold real rider names and addresses under full safeguards and a signed BAA. | Agencies that need live dispatch with real rider data (most paratransit). |
| Client Code mode | Motrix stores no rider identity — only an opaque code (e.g. C-0001). Your agency keeps the name↔code crosswalk on its own systems. | Agencies that want zero PHI in any third-party tool. |
There is no such thing as "HIPAA certified"
Any vendor claiming to be "HIPAA certified" is misinformed or bluffing — HHS certifies no one. Motrix implements the required technical safeguards, signs a BAA, and completes a Security Risk Assessment on the deployment. Full compliance is a shared responsibility we finish with you. We'll walk your compliance officer through exactly what we implement — that candor is itself the reason savvy buyers take our call.
What compliance officers ask
Is Motrix HIPAA compliant?
Motrix implements the technical safeguards of the HIPAA Security Rule and runs on BAA-covered AWS. HIPAA compliance is a shared responsibility — we sign a BAA, provide the safeguards, and complete a Security Risk Assessment on the deployment. There is no HIPAA "certification"; we can walk your compliance officer through exactly what we implement.
Will you sign a BAA?
Yes — that's the point of the HIPAA tier. Most fleet vendors won't; we will. Send us yours to review, or start from ours.
Where does our data live? Who can see it?
A dedicated instance on AWS (us-east-1), isolated from other customers. Every access to a rider record is logged for six years, and you can see that trail yourself. Access requires two-factor authentication for every user.
Can we keep rider data out of your system entirely?
Yes — Client Code mode stores no rider identities at all, only anonymous codes you map on your own systems.
What happens if there's a breach?
We maintain an incident-response process: detect, contain, assess, and notify you within the contractual window so you can meet your own HHS and individual notification obligations.
HIPAA Tier — $750–1,000/mo
Includes the dedicated AWS instance, the signed BAA, audit logging, mandatory 2FA, and everything in the platform. A one-time onboarding fee ($1,500–3,000) covers instance provisioning, data migration, BAA execution, and user training. For context: a managed HIPAA host alone runs $500+/mo for infrastructure with no application — Motrix delivers the platform and the compliance posture for comparable money. Commercial fleets without PHI can start at $99/mo on the standard tiers.
Bring your compliance officer to a 20-minute demo
We'll show the live dispatch flow and the rider Access Log, then send our BAA for review ahead of any commitment. IT reviewing the platform? Start with the IT & security brief.