Compliance
HIPAA Compliance Guide
Security requirements and compliance guidelines for handling protected health information (PHI).
HIPAA Compliant Infrastructure
Our healthcare APIs are built on HIPAA-compliant infrastructure with Business Associate Agreements (BAA) available for all healthcare clients.
SOC 2 Type IIHITRUST CSFBAA Available
Security Controls
| Control | Description | Status |
|---|---|---|
| Encryption at Rest | AES-256 encryption for all stored PHI | Required |
| Encryption in Transit | TLS 1.3 for all API communications | Required |
| Access Logging | Complete audit trail of PHI access | Required |
| Multi-Factor Auth | MFA for all user accounts | Required |
| Role-Based Access | Granular permission controls | Required |
| Session Timeout | Automatic logout after inactivity | Required |
PHI Handling Requirements
Data Minimization
Only request and store PHI that is necessary for the intended purpose
Audit Logging
All PHI access is logged with user, timestamp, and action details
Data Residency
PHI is stored in US-based data centers with geographic controls
Breach Response
24-hour breach notification with incident response procedures