Loading…
Trust · HIPAA
HIPAA (Health Insurance Portability and Accountability Act) governs the privacy and security of protected health information (PHI) handled by covered entities — healthcare providers, health plans, healthcare clearinghouses — and their business associates. The HITECH Act extends these requirements with breach-notification rules and audit enforcement.
What it is, what it covers
Healthcare engagements have a sharp boundary: ePHI flows only through BAA-covered components. Prosigns engineers healthcare workloads with that boundary explicit in the architecture from kickoff. Vendor selection, network segmentation, key management, and audit logging are designed before any patient data touches the system, not retrofitted after a Privacy Officer's review.
Our security and compliance practice CITADEL co-pilots every healthcare engagement. The Privacy Rule, Security Rule, and Breach Notification Rule each map to specific architectural commitments — administrative, physical, and technical safeguards — that we operate as a side-effect of normal delivery. Documentation of risk analysis, workforce training, and incident-response procedures is produced and retained per HHS expectations.
We do not substitute for your Privacy Officer. We engineer the systems they govern, and we make their compliance obligations easier by producing the evidence in the form OCR pulls expect.
Scope
HIPAA applies to covered entities and their business associates whenever ePHI is created, received, maintained, or transmitted. Engagements with healthcare deliverables are scoped against the standard from the first architecture review; our role is typically business associate, with a BAA executed before any ePHI flows into a Prosigns-engineered component.
Engineering controls
Prosigns engineering practices that produce HIPAA-aligned evidence as a side-effect of normal delivery. Each control carries a specific reference where applicable.
ePHI flows exclusively through HIPAA-eligible cloud services and BAA-covered third parties. Service selection happens at architecture review with the BAA chain documented end-to-end. Components without a BAA are explicitly out-of-scope for ePHI; the architecture enforces the boundary at the network and IAM layers.
Security Rule §164.308(b)(1) (Business associate contracts)
TLS 1.2+ for all transmission of ePHI. At-rest encryption on all storage that holds ePHI, with customer-managed keys (KMS) where the customer's risk analysis requires. Key-rotation and key-access policies documented; key-access events logged to immutable audit trails.
Security Rule §164.312(a)(2)(iv), (e)(2)(ii) (Encryption)
Role-based access reviewed quarterly; just-in-time access via short-lived credentials for production sessions. MFA enforced on all admin access. Workforce-clearance checks documented per HIPAA Security Rule expectations; workstation security configured per the engagement's risk analysis.
Security Rule §164.308(a)(3), §164.312(a)(1) (Workforce security, Access control)
Application, infrastructure, and access logs retained for at least 6 years per HIPAA documentation-retention requirements. Log integrity tamper-protected. ePHI access logged at user-action granularity; queries against ePHI tied to actor identity.
Security Rule §164.312(b), §164.316(b)(2) (Audit controls, Documentation retention)
Per-engagement risk analysis covering vulnerabilities, threats, likelihood, and impact across the ePHI flow. Findings retained per HIPAA documentation-retention requirements; remediation tracked with explicit owner, mitigation, and review date.
Security Rule §164.308(a)(1)(ii)(A) (Risk analysis)
Documented incident-response procedures with named roles, communication paths, and HITECH-compliant 60-day breach-notification flows. Tabletop exercises run quarterly; post-incident reviews land in the runbook so the next response is faster than the last.
Security Rule §164.308(a)(6), HITECH §13402 (Notification)
Clinical AI is evaluated for performance disparities across demographic strata before deployment. Ground-truth datasets are stratified; performance metrics are reported per stratum; deployment is contingent on the stratified results meeting the engagement's equity floor. Bias monitoring continues post-deployment with drift alerting.
OCR Section 1557 anti-discrimination guidance for AI-supported clinical decisions
Honest posture
Prosigns engineers healthcare workloads aligned to HIPAA / HITECH with CITADEL co-piloting every engagement. We are not a covered entity; on engagements where ePHI flows through Prosigns-engineered components, we operate as a business associate under a fully-executed BAA, with downstream subprocessor BAAs as required.
Audit pack contents
Engagement-scoped to the HIPAA deliverable. Available on request under NDA, same business day for procurement and InfoSec review.
Where it applies
Hospitals, payers, life sciences, and digital-health workloads with ePHI.
Open the industryHealth-savings accounts and insurance-adjacent payments with ePHI overlap.
Open the industryState Medicaid programs, public-health workloads, and VA integrations.
Open the industryServices we deliver
Clinical agents with BAA-covered model endpoints, retrieval grounding, and human-in-the-loop on impact decisions.
Open the practiceEHR integrations, patient portals, and clinical workflow apps with ePHI flow scoping.
Open the practiceBAA-covered cloud topology (AWS, Azure, GCP) with HIPAA-eligible service selection.
Open the practiceFrequently asked
Yes. We sign a BAA before any ePHI flows into a Prosigns-engineered component. Our standard BAA is available on request; we also accept customer-paper BAAs subject to legal review. The downstream subprocessor BAA chain is documented end-to-end so the audit trail walks cleanly from your BAA with us through to the cloud provider's BAA with us.
AWS, Azure, and GCP each publish HIPAA-eligible service lists. We select from those lists at architecture review and document the selection. Components without HIPAA eligibility are explicitly out-of-scope for ePHI; the architecture enforces the boundary at the network and IAM layers. Eligibility lists change; we re-verify per engagement.
BAA-covered model endpoints (AWS Bedrock with HIPAA eligibility, Azure OpenAI under the Azure HIPAA BAA, Vertex AI on GCP per their BAA scope) are the default for clinical AI workloads. Retrieval grounding cites source documents; human-in-the-loop is required on impact decisions. Equity-aware evaluation runs before deployment and post-deployment drift monitoring continues.
HITRUST Common Security Framework is an industry-led control framework that maps to HIPAA, HITECH, and several other standards. We engineer to HITRUST CSF expectations on engagements that scope it; HITRUST assessments themselves are run by certified assessors and we coordinate evidence pulls with your assessor of record.
Yes for engagements where the deliverable is regulated as a medical device. SaMD adds the IEC 62304 software lifecycle, FDA Quality System Regulation, and 21 CFR Part 11 records-and-signatures requirements on top of HIPAA. We engineer the lifecycle and validation evidence to support FDA submission paths; substantive equivalence (510(k)) and de novo classifications are SME work that's typically a co-engagement with your regulatory affairs team.
Yes. State health-privacy regimes typically extend HIPAA's protections — Texas HB 300 broadens the definition of covered entities, California CMIA adds patient-access timelines. We document the applicable regime per engagement and engineer the controls to the strictest applicable standard.
Talk to us
CITADEL co-pilots every regulated engagement. Senior engineer plus department lead joins the first call. Audit pack on the same business day.