HIPAA posture

This page documents Dental Refer's engineering and operational controls for HIPAA. It is informational; the binding document for any covered-entity subscriber is the executed Business Associate Agreement.

Administrative safeguards

Information access management with role-based authorization and a documented incident response runbook with on-call rotation are live today. The formal Security Officer / Privacy Officer designation, workforce sanction policy, and security-awareness training program (covering all workforce members) are documented and being finalized as part of pilot readiness.

Technical safeguards

Unique user identifier per workforce member. Automatic session logoff (30-minute idle, 12-hour absolute). Encryption + decryption of PHI at rest (AES-256-GCM envelope encryption, Phase C runtime-proven) and in transit (TLS 1.2+ minimum). Audit controls: immutable, hash-chained audit_log on every PHI read, write, and attachment download.

Physical safeguards

Production infrastructure hosted on Vercel (SOC 2 Type 2) + Neon Postgres (HIPAA-ready, BAA available) + Cloudflare R2 (SOC 2 Type 2 + HIPAA-eligible) + AWS SES (HIPAA-eligible, BAA available). No PHI on developer laptops; remote work uses encrypted endpoints with corporate-grade access policies.

Minimum necessary

API responses scope PHI fields to the operation. Roles see only what their role needs. Audit metadata uses hashed identifiers (hashRecipient, hashEmail, hashId) — never raw PHI. PHI is never included in logs, error messages, or external API payloads (including AI services until BAA execution).

Business associate agreements (BAAs)

A BAA is executed with Paubox, our HIPAA-compliant email/PHI transport. BAAs with our other subprocessors — Neon (database), Cloudflare (storage + CDN), AWS (SES / S3), Twilio (SMS), and SRFax (eFax) — are being executed as part of pilot readiness. Anthropic (Claude API) BAA is pending — all AI features ship inert until it is executed. We provide a BAA to subscribers on request; contact [email protected].

Patient rights

Patients have rights to access, amend, accounting of disclosures, and restrictions on use. Implementation supports patient view of their referral status (patient portal) and structured audit log queries by the patient's referring office. Requests to access or delete patient records are routed through the referring office under the Privacy Rule's designated record set rules.

Breach response

Defined incident response runbook with 24/72-hour triage SLAs. Notification within 60 days of discovery for breaches affecting > 500 individuals (HHS + media); within 60 days for smaller breaches (HHS annual report). Subscribers notified per BAA terms. Mandatory documentation retained for 6 years.

Requesting a BAA or breach disclosure

Email [email protected] with your organization details. We countersign BAAs within 5 business days under standard terms; custom terms reviewed case-by-case.

See also Security for engineering controls and About.