HIPAA compliance

A snapshot of administrative, physical and technical safeguards mapped to 45 CFR §164. Toggle policy switches to enforce them across the network.

8/9 controls in place

Administrative

Physical

Technical

Open reviews

§164.312(a)(1)

Role-based access control

In place

Practitioners see their clinic; patients see their own chart; admins see the network. Enforced at the database with Row Level Security.

§164.312(b)

Audit controls

In place

Every privileged action is recorded with actor, target, and timestamp. 7-year retention. CSV export for review.

§164.312(c)

Integrity

In place

Clinical notes are signed; outcomes records carry a hash. Tampering invalidates the signature.

§164.312(e)

Transmission security

In place

TLS 1.3 in transit. HSTS preload. Certificate pinning for mobile.

§164.312(a)(2)(iv)

Encryption at rest

In place

AES-256 disk encryption on Postgres and object storage. KMS-managed keys.

§164.308(a)(5)

MFA enforcement

In place

Require multi-factor authentication for every practitioner, staff, and admin account.

Enforced network-wide

§164.312(a)(2)(iii)

Auto-logoff (15 min idle)

In place

Sessions terminate after 15 minutes of inactivity on clinical surfaces.

Enforced network-wide

§164.524

Patient access & export

In place

Patients can download their full record (sessions, outcomes, notes) in machine-readable format on request.

§164.308(b)

Business Associate Agreements

Review

BAAs on file with all sub-processors (database, storage, email, telemetry).

This view is illustrative of the production posture. The demonstrator stores only synthetic data — no PHI is in play.Open audit log →