2.2 · Our Approach
The Security Rule Safeguards
The HIPAA Security Rule lists the specific protections every system that handles Protected Health Information must have in place. The list is the practical answer to the question "what does it actually mean to be HIPAA secure." The rule organizes safeguards into three categories: Technical, Administrative, and Physical. This page walks each category and notes how our platform satisfies it.
Technical safeguards
Protections built into the software and infrastructure. Most are configuration decisions made once and verified during audits.
| Safeguard | How we satisfy it |
|---|---|
| Encryption in transit | Every browser-to-platform request uses HTTPS. Internal calls between AWS services use AWS’s private network with encrypted transport. No path moves Protected Health Information unencrypted. |
| Encryption at rest | RDS Aurora and S3 encrypt stored data with AES-256 using AWS-managed keys. On by default for our resources, verified through the AWS console. |
| Strong authentication | Every login requires a password plus a second factor (authenticator app or hardware key). No shared accounts. Service-to-service authentication uses short-lived IAM credentials, never permanent API keys. |
| Access controls | Every record carries the clinic ID it belongs to. Row-level security in Postgres prevents clinic A from reading clinic B’s data even if the application code has a bug. The same logic applies to S3 bucket policies and Cognito group membership. |
| Automatic session timeout | Logged-in sessions expire after a configurable period of inactivity, forcing fresh authentication before sensitive data is exposed again. |
| Audit logging | Every read or write of regulated data is recorded in an append-only audit log: who acted, what record they touched, what fields, when, and from where. Tamper-evident and retained for six years per HIPAA. |
| Integrity controls | Database transactions are atomic. File uploads are checksummed. Audit log entries are immutable. We can prove data has not been silently altered. |
| Scrubbing before logging | Application logs run through a scrubbing helper that strips known Protected Health Information fields before the log line reaches CloudWatch. A crash report does not become a HIPAA incident on its own. |
Administrative safeguards
Organizational policies and human practices. The technical layer protects the data; the administrative layer protects the operation.
| Safeguard | How we satisfy it |
|---|---|
| Designated security officer | One person is named in writing as responsible for HIPAA security. For now that is the founder. As the team grows, the role may be split or formally delegated. |
| Annual risk assessment | Once a year we document the threats, the controls in place, and the residual risk we accept. The Annual Risk Assessment Log page is where these are kept. |
| Workforce training | Every person with access to regulated systems has completed HIPAA awareness training and signed an acknowledgment. Training is repeated annually. |
| Incident response plan | A written runbook covers what to do when a breach is suspected: who is notified, in what order, what gets contained, what gets logged, and when the breach notification clocks start. Held on the Incident Response Runbook page. |
| Sanctions policy | If a workforce member violates HIPAA rules, the consequence is documented in advance, not improvised. A deterrent and an audit requirement. |
| Vendor management | The BAA Status page is the canonical list of every vendor in the regulated chain, what they do, and the date their agreement was signed. Adding a new vendor requires their agreement being signed first. |
Physical safeguards
Protections for the physical hardware and workstations. Most are handled by our vendors; a few are on us.
| Safeguard | How we satisfy it |
|---|---|
| Data center security | AWS handles physical access to servers: locked facilities, badge controls, surveillance, environmental protection. Covered by their Business Associate Agreement. |
| Workstation security | Any laptop or device used to access regulated systems must have full-disk encryption, a strong login password, and automatic screen lock after a short idle period. No passwords on sticky notes. No shared workstations. |
| Device disposal | Old laptops or hard drives that may have held regulated data are wiped using a documented procedure before disposal, transfer, or resale. |
How this gets audited
If HHS audits the platform, they will not run our code. They will ask for evidence: the signed Business Associate Agreements, the workforce training records, the most recent risk assessment, sample audit log entries, the incident response runbook, and the sanctions policy. Most of the actual technical protection is verified by simply showing them how the system is configured and pointing to the vendor agreements that lock the infrastructure in place. The administrative paperwork is what they spend the most time on, which is why we keep all of it inside this Compliance section rather than scattered across drives and email threads.