← Back to Trust Center

HIPAA Compliance

Protecting Sensitive Healthcare Information with Enterprise-Grade Security

1. What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information.

Healthcare organizations must ensure the confidentiality, integrity, availability, accountability, and secure access of Protected Health Information (PHI) at all times.

Hypocrates provides the administrative, technical, and physical safeguards needed to help our covered entity customers support compliance.

2. Protected Health Information (PHI) Secured

Hypocrates secures critical clinical records within our environment including:

• Patient names, dates of birth, and contact information

• Medical histories, diagnoses, and treatment plans

• Clinical consultation audio files, transcriptions, and SOAP notes

• Imaging records, prescription histories, and laboratory results

• Appointment logs, billing details, and insurance communication

3. Administrative Safeguards

Hypocrates implements rigorous administrative controls to manage security parameters:

Role-Based Access Control (RBAC): Restricts access parameters based on workforce roles (e.g., Owners, Admins, Doctors, Nurses, Receptionists, Assistants).

Identity & Session Management: Individual account authorization, password complexity rules, and session controls.

Detailed Audit Logging: Automatic logging of record access, editing events, metadata updates, and account configurations.

Workforce Security Training: Mandatory HIPAA compliance and security training for all Hypocrates personnel.

4. Technical Safeguards

We utilize advanced technical protocols to prevent unauthorized access to PHI:

Data Encryption: All PHI is encrypted in transit using TLS 1.3 and at rest using AES-256 standard keys.

Secure Authentication: Support for strong password enforcement and multi-factor authentication (MFA).

Automatic Session Timeout: Interactive user sessions are automatically timed out after periods of inactivity to protect physical workstations.

Continuous Monitoring: Ongoing log analysis, threat intelligence reporting, and security anomaly detection.

5. Physical Safeguards

Our physical hosting environment supports rigorous facility access controls:

Secure Data Centers: Hosted in enterprise-grade, certified cloud data center facilities with physical access barriers, security patrols, and biometric checks.

Workstation Security: Policies restricting physical storage of PHI on employee workstations or portable media.

Device Disposal: Secure data wiping and destruction protocols for media and server drives.

6. Audit Logging Details

The platform records detailed logs across various event types for accountability:

Authentication Events: Login attempts, logouts, password changes, and MFA verifications.

Data Operations: Viewing records, downloading documents, editing SOAP notes, and record deletion.

Administrative Actions: Permission edits, role changes, and account provisioning.

7. Incident Response & Breach Notification

Hypocrates maintains detailed incident response procedures for detecting, containing, and recovering from potential security incidents.

In the event of a confirmed breach affecting PHI, we will notify affected covered entities within 60 calendar days of discovery, or as required by the HIPAA Breach Notification Rule, whichever is sooner.

8. Vendor & Subprocessor Management

All third-party vendors and subprocessors who handle PHI on behalf of Hypocrates are subject to strict security vetting.

We execute Business Associate Agreements (BAAs) containing equivalent security and data protection requirements with all such vendors.

9. Business Associate Agreement (BAA)

Under HIPAA, Hypocrates acts as a Business Associate to our healthcare provider customers (Covered Entities).

We require a signed Business Associate Agreement (BAA) to be in place before processing or importing any PHI. You can request or execute our standard BAA by contacting our legal team at legal@hypocrates.com.