HIPAA
At a glance
- Statute
- HIPAA Privacy, Security & Breach Notification Rules
- Our role
- Business Associate (BAA available)
- Safeguards
- Administrative, Physical, Technical
- PHI encryption
- AES-256 at rest, TLS 1.2+ in transit
- Audit
- Access logging & monitoring
Business Associate Agreement
Where Desha.ai handles PHI on behalf of a covered entity, we execute a BAA defining permitted uses, safeguards, sub-contractor obligations and breach reporting. PHI is processed only to deliver the contracted service.
Security Rule safeguards
| Safeguard | Examples in the platform |
|---|---|
| Administrative | Risk analysis, workforce training, access management, incident response |
| Physical | Cloud data centres with physical-security attestations; managed device posture |
| Technical | Unique IDs, role-based access, encryption, audit controls, automatic logoff |
Privacy Rule & minimum necessary
- Access to PHI is limited to the minimum necessary for the task, enforced by role-based access control.
- PHI can be redacted in exports and is never used to train third-party foundation models.
- Patients retain rights of access and amendment through the covered entity.
Breach notification
A documented incident-response process supports the covered entity’s breach-notification obligations, including timely reporting of any incident affecting PHI.
Documentation available on request
- Business Associate Agreement (BAA) template
- Security Rule safeguards summary
- Encryption & key-management overview
- Incident-response summary
Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.
