Skip to content
ABA Ops Compass

3.4 · Operations

Action Items

More actions

This is the gap between the current "business operations product" and the eventual "Protected Health Information ready product." Each item is a real blocker, not a nice-to-have. Doing them in roughly this order keeps each step independently useful so the platform never sits in a half-complete state.

In order

1. Set up the AWS account and sign the BAA

The first step in the chain. The AWS Setup Checklist page walks this end to end. Without it, none of the downstream items can begin. Status: AWS account created and the AWS Business Associate Addendum signed on June 3, 2026. Account hardening (admin user, CLI access) in progress.

2. Replace the in-memory client store with RDS Postgres

Stand up the regulated database with encryption at rest, automated backups, and row-level security. Migrate the existing application data away from in-memory storage. Status: not started, blocked on Step 1.

3. Wire S3 for file uploads

Configure encrypted S3 buckets with bucket policies that enforce per-clinic isolation. Build the application upload path so files go directly to S3 via signed URLs. Status: not started, blocked on Step 1.

4. Move AI extraction to AWS Bedrock

Replace the current OpenAI gpt-4o-mini call routed through Vercel AI Gateway with an Anthropic Claude call routed through Bedrock. This is the change that unlocks Protected Health Information flowing through the AI layer. Status: not started, blocked on Step 1.

5. Add authentication and role-based access control

Stand up Cognito with multi-factor authentication and define the roles: Owner, Consultant, Clinic Admin, Clinic Staff. Bind every regulated route to a role check. Status: not started, blocked on Step 1.

6. Add audit logging for every read and write of regulated data

Append-only audit log table recording: who acted, what record, what fields, when, from where. Tamper-evident and retained for six years per HIPAA. Status: not started, blocked on Step 2.

7. Complete a HIPAA Security Risk Analysis

Required by the Security Rule. Document the threats, the controls in place, the residual risk we accept, and the actions taken to mitigate. Stored on the Annual Risk Assessment Log page. Status: not started, can begin once Steps 1 through 6 are complete enough to document accurately.

8. Publish internal Privacy and Security policies

Internal to our consulting practice as a Business Associate. Distinct from the policies we publish for clinic clients. Status: not started.

9. Set up the breach response plan tuned to FIPA

30-day notification clock for Florida residents under the Florida Information Protection Act. Codify on the Incident Response Runbook page. Status: not started.

10. Multi-tenant data isolation review

Each clinic’s data must be cleanly partitioned at the database, file storage, and authentication layers. Run a deliberate review of every regulated table and bucket to confirm. Status: not started, blocked on Steps 2 through 6.

Already complete

  • Added a "do not paste Protected Health Information" guardrail to AI inputs. Visible on the Smart Paste panel inside New Client. This kept the platform safe to use during the transition while the AI path was still routed through a non-BAA-covered provider.

How to use this list

Treat this as the canonical roadmap for getting the platform to Protected Health Information readiness. Each completed step is a real unlock that allows the platform to take on workloads it could not before. Until all ten are complete, the Allowed in This Software page sets the boundary on what can flow through the platform.