Overview
CelebriCare's gift card feature is designed with strict privacy protections and HIPAA compliance safeguards. This document outlines how gift cards operate within our platform while maintaining complete separation from protected health information (PHI).
How It Works
1
Gift Card Purchase: A visitor selects the "Gift Card" option, chooses their desired amount, and completes the checkout form with recipient information.
2
Secure Payment Processing: The purchaser enters payment information through Stripe's secure checkout form. Critically, payment data bypasses CelebriCare entirely and goes directly to Stripe, which maintains both PCI and HIPAA compliance certifications.
3
Purchase Confirmation: CelebriCare sends an email notification to the purchaser confirming the gift card purchase, without storing or processing their payment information.
4
Secure Delivery: The gift card recipient receives a unique redemption ID via email. This ID can only be redeemed after the recipient creates and authorizes their own CelebriCare account, ensuring only the person with email access can redeem the gift card.
5
Service Redemption: Once authenticated, the gift card recipient can apply their gift card credit toward any services or products available on the platform through standard checkout processes.
Data Separation Architecture
Commerce Layer Isolation
Gift card transactions operate entirely within our commerce and payment processing systems, maintaining complete separation from clinical EHR data where PHI is stored. Gift card purchasers, recipients, and transaction details never interact with clinical records.
Anonymous Redemption Process
When a gift card is redeemed for mental health services, it functions as a standard payment method within our clinical system. Healthcare providers only see the payment transaction - they have no access to information about who purchased the gift card or the relationship between purchaser and recipient.
No Clinical Data Sharing
Gift card purchasers receive only transactional confirmations (purchase receipt, delivery confirmation). They never receive information about how, when, or where the gift card was used, or any details about the recipient's care.
HIPAA Compliance Safeguards
- Protected Health Information (PHI) Boundaries: Gift card transactions contain no PHI as defined under HIPAA. The commerce system processes only payment information, recipient contact details for delivery, and transaction metadata - none of which relates to health status, treatment, or healthcare provision.
- Provider Privacy Protection: Healthcare providers remain completely isolated from the gift card purchasing process. Their clinical documentation, billing, and patient communications operate within established HIPAA-compliant workflows without exposure to gift card purchaser information.
- Audit Trail Separation: Gift card transaction logs are maintained separately from clinical audit trails. HIPAA audit requirements for PHI access remain unaffected by commerce layer activities.
Technical Implementation
Payment Processing
Gift cards utilize the same encrypted, PCI-compliant payment infrastructure as direct patient payments, ensuring financial data protection without creating PHI exposure.
Communication Channels
Gift card notifications are processed through customer service communication channels, distinct from clinical messaging systems used for healthcare communications.
Access Controls
Gift card system access is restricted to commerce and customer service roles. Clinical staff and healthcare providers have no access to gift card purchase or recipient information.
Recipient Privacy Rights
Gift card recipients maintain complete autonomy over their healthcare information. The gift card system creates no ongoing relationship or information sharing between the gift card purchaser and the recipient's healthcare journey.
- No Shared Access: Gift card purchasers cannot access any information about the recipient's use of services, appointment history, or clinical outcomes.
- Standard Patient Rights: Gift card recipients retain all standard HIPAA rights regarding their PHI, including access, amendment, and disclosure accounting rights, unaffected by the gift card payment method.
Compliance Verification
This gift card implementation has been designed to comply with HIPAA privacy and security requirements by maintaining clear boundaries between commerce transactions and protected health information. The system architecture ensures that mental health gift cards operate as standard retail transactions while preserving the complete privacy of healthcare recipients.