Home/HIPAA & Rider-Data Compliance
HIPAA Tier · Business Associate Agreement

Hold rider data legally — and prove who touched it.

Your trip manifests carry rider names, home addresses, mobility needs, and program affiliations. Under HIPAA that's protected health information (PHI) — and the moment it enters a vendor's system, that vendor becomes your Business Associate. Most fleet software has no answer for this. Motrix Cloud does: a full fleet platform and the compliance posture to hold rider data legally.

We signa BAA — most vendors won't
Dedicatedsingle-tenant AWS + executed AWS BAA
6-yearappend-only rider access log
The problem

Rider PHI in a spreadsheet or a no-BAA app is a compliance problem waiting to happen

Paratransit operators are squeezed on privacy from every side: manifests live in spreadsheets, generic scheduling apps, or fleet tools with no Business Associate Agreement behind them. When someone asks "who accessed this rider's record?", there's no answer — and no vendor accountable for the data. Generic fleet platforms (Samsara, Verizon Connect, Motive, Fleetio) will not sign a BAA, which is exactly what HIPAA requires from any vendor that touches PHI.

What the HIPAA tier provides

The technical safeguards of the HIPAA Security Rule, on BAA-covered AWS

SafeguardWhat Motrix does
Business Associate AgreementWe sign a BAA with your agency. Most fleet vendors won't — we will.
Dedicated hostingSingle-tenant AWS (EC2 + RDS), isolated from other customers, covered by an executed AWS BAA.
Encryption everywhereEncrypted at rest (AWS KMS / AES-256) and in transit (TLS 1.3, A+ grade). The database refuses unencrypted connections.
Mandatory two-factor authEvery user, every role — because drivers see rider names and addresses on their manifests.
6-year access audit logAppend-only record of who viewed, changed, or exported each rider record. The log references records by ID/code, so it never becomes its own leak.
Hardened by default15-minute automatic logoff, least-privilege database access, encrypted off-site backups the server itself cannot decrypt, and network isolation with no exposed admin ports.
The moment that closes the deal

"Who touched this rider's record?" — answered on one screen

When your compliance officer, an auditor, or a rider's family asks who accessed a record, you open the Access Log and show them: every view, change, and export, for six years, tied to a user and a timestamp. That single capability is what no general-purpose fleet tool offers — and it's the first thing we show in a demo.

Two ways to handle rider privacy

Hold PHI under a BAA — or hold no PHI at all

Not every agency wants rider identities in its fleet software. Motrix supports both models; we lead the conversation by asking which you prefer.

ModelWhat it meansBest for
HIPAA TierHold real rider names and addresses under full safeguards and a signed BAA.Agencies that need live dispatch with real rider data (most paratransit).
Client Code modeMotrix stores no rider identity — only an opaque code (e.g. C-0001). Your agency keeps the name↔code crosswalk on its own systems.Agencies that want zero PHI in any third-party tool.
Said honestly

There is no such thing as "HIPAA certified"

Any vendor claiming to be "HIPAA certified" is misinformed or bluffing — HHS certifies no one. Motrix implements the required technical safeguards, signs a BAA, and completes a Security Risk Assessment on the deployment. Full compliance is a shared responsibility we finish with you. We'll walk your compliance officer through exactly what we implement — that candor is itself the reason savvy buyers take our call.

Compliance FAQ

What compliance officers ask

Is Motrix HIPAA compliant?

Motrix implements the technical safeguards of the HIPAA Security Rule and runs on BAA-covered AWS. HIPAA compliance is a shared responsibility — we sign a BAA, provide the safeguards, and complete a Security Risk Assessment on the deployment. There is no HIPAA "certification"; we can walk your compliance officer through exactly what we implement.

Will you sign a BAA?

Yes — that's the point of the HIPAA tier. Most fleet vendors won't; we will. Send us yours to review, or start from ours.

Where does our data live? Who can see it?

A dedicated instance on AWS (us-east-1), isolated from other customers. Every access to a rider record is logged for six years, and you can see that trail yourself. Access requires two-factor authentication for every user.

Can we keep rider data out of your system entirely?

Yes — Client Code mode stores no rider identities at all, only anonymous codes you map on your own systems.

What happens if there's a breach?

We maintain an incident-response process: detect, contain, assess, and notify you within the contractual window so you can meet your own HHS and individual notification obligations.

Pricing

HIPAA Tier — $750–1,000/mo

Includes the dedicated AWS instance, the signed BAA, audit logging, mandatory 2FA, and everything in the platform. A one-time onboarding fee ($1,500–3,000) covers instance provisioning, data migration, BAA execution, and user training. For context: a managed HIPAA host alone runs $500+/mo for infrastructure with no application — Motrix delivers the platform and the compliance posture for comparable money. Commercial fleets without PHI can start at $99/mo on the standard tiers.

Next step

Bring your compliance officer to a 20-minute demo

We'll show the live dispatch flow and the rider Access Log, then send our BAA for review ahead of any commitment. IT reviewing the platform? Start with the IT & security brief.

Motrix is an early-stage, founder-run platform. We'd rather tell you exactly what we implement — and where compliance is a shared responsibility — than claim a certification that doesn't exist.