ClinicFlow
Legal

HIPAA Notice

How ClinicFlow's technical safeguards map to HIPAA Security Rule requirements.

Last updated: 1 May 2026

ClinicFlow operates as a Business Associate under HIPAA when our healthcare-provider Customers process PHI through the Services. We sign a BAA with every Customer before PHI flows. Operators can request the standard BAA at any time — see our BAA template.

Technical safeguards (45 CFR §164.312)

(a) Access Control

  • Unique user identification — UUID per User; every API call authenticated via JWT.
  • Emergency access — Platform-admin impersonation token, fully audit-logged.
  • Automatic logoff — Configurable session inactivity timeout enforced at the refresh path.
  • Encryption / decryption — Narrative PHI encrypted at the column level (Fernet AES-128 + HMAC-SHA-256). AWS KMS envelope encryption available for Enterprise.

(b) Audit Controls

  • Every mutation logged via structured audit records (actor, IP, object, payload, timestamp).
  • Read-side PHI access logged with 60-second coalesce window to avoid floods.
  • Audit log preserved across right-to-erasure flows; references rewritten to erased:<uuid>.

(c) Integrity

  • All PHI mutations record updated_by_id.
  • Locked encounters and locked notes are immutable; AI apply path refuses to write.
  • AI-applied changes log a tombstone on the originating invocation.

(d) Person or Entity Authentication

  • JWT with refresh rotation.
  • Optional TOTP MFA with single-use recovery codes (SHA-256 hashed at rest).
  • SSO via OIDC against any IdP (Okta, Auth0, Microsoft Entra, Google Workspace).
  • Account lockout: 8 failed attempts → 15-minute cooldown.
  • Password policy: 12 char minimum, 3 character classes, no obvious sequences, no email-username substring.

(e) Transmission Security

  • TLS 1.2+ in transit; HSTS preload with includeSubDomains.
  • CSP, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locked down.
  • WebSocket auth uses signed query-param tokens (browsers can't set headers on WS handshake).

Administrative safeguards

  • Workforce HIPAA training mandatory at hire and annually thereafter.
  • Documented incident-response plan; [email protected] for vulnerability reports.
  • Annual third-party penetration testing.
  • BAA with every PHI-touching subprocessor (see Subprocessors).

§164.502(e) Business Associate Contracts

ClinicFlow's BAA template is available at /legal/baa. We also require Customers to attest a BAA with each PHI-touching provider they enable (OpenAI/Anthropic for AI, Daily for video, Twilio for SMS, etc.). The orchestrator refuses to invoke unattested providers — this is enforced in code, not just policy.

§164.530(j) Documentation Retention

Audit logs are retained at minimum 6 years per HIPAA. The retention sweeper deletes audit, AI invocation, notification, and job-log rows past their configured TTL.

Breach Notification

We notify affected Customers without undue delay (target: 24 hours) of any unauthorized access to PHI, with sufficient detail for Customers to meet their own breach-notification timelines under HHS rules.

For auditors

The internal control matrix mapping each requirement to the codebase is in our docs/COMPLIANCE.md. Available on request along with our latest SOC 2 / ISO 27001 reports under NDA.

Contact

Privacy Officer: [email protected]. Security Officer: [email protected].