HIPAA Compliance Guide

Healthcare Privacy and Security Compliance (45 CFR Part 164)

Healthcare AI Add-On Required: HIPAA compliance features require the Healthcare AI Add-On ($799/month) or Enterprise Plus tier. This includes BAA tracking, patient rights management, PHI logging, and DICOM processing.

What HIPAA Features Are Available?

BAA Tracking

§ 164.504(e) - Business Associate Agreement management with expiration alerts

Patient Rights

§ 164.524 - Access requests with 30-day deadline tracking

PHI Disclosure Logs

§ 164.528 - Accounting of disclosures with 6-year retention

DICOM De-identification

Remove PHI from medical imaging (X-rays, MRIs, CT scans)

Business Associate Agreements (§ 164.504(e))

A Business Associate Agreement (BAA) is a contract required by HIPAA when you share PHI with a third party (cloud provider, payment processor, etc.).

When Do You Need a BAA?

Cloud storage providers (AWS, Azure, Google Cloud)
EHR system vendors (Epic, Cerner)
Payment processors handling PHI
Analytics vendors with access to patient data

Expiration Alert System

Automatic Alerts: The platform sends expiration warnings at:

90 days

LOW

60 days

MEDIUM

30 days

HIGH

Expired

CRITICAL

Quick Start: Add a BAA

1
Navigate to Healthcare Dashboard
Go to Dashboard → Healthcare → BAA Management
2
Click "Add BAA Record"
Enter business associate name, type, and agreement details
3
Set expiration date
System will automatically send renewal alerts

Patient Rights Requests (§ 164.524)

Under HIPAA, patients have the right to access their Protected Health Information (PHI). You must respond within 30 days (extendable to 60 days with written notice).

30-Day Deadline: The clock starts the day the request is received. Our platform automatically calculates the deadline and tracks compliance.

Request Types Supported

ACCESS_TO_RECORDS

§ 164.524 - Right to access PHI

AMENDMENT

§ 164.526 - Right to amend PHI

ACCOUNTING_OF_DISCLOSURES

§ 164.528 - Right to disclosure history

RESTRICTION_REQUEST

§ 164.522 - Request to restrict use

Timeline Tracking

Day 1

Request Received

Platform logs request, calculates 30-day deadline automatically

Day 25

Extension Option

If needed, request 30-day extension (must notify patient in writing)

Day 30/60

Response Due

Must provide access or denial with written explanation

PHI Processing Logs (§ 164.528)

HIPAA requires you to maintain an Accounting of Disclosures - a record of every time PHI is disclosed outside of treatment, payment, or healthcare operations.

6-Year Retention: Under § 164.530(j), these records must be retained for 6 years. The platform enforces this - you cannot delete PHI logs within the retention period.

What Gets Logged?

Disclosures: Who received PHI, when, and why
Access: Internal access to PHI by staff
Legal Basis: Authorization, treatment, required by law, etc.
Minimum Necessary: § 164.502(b) compliance tracking
Breach Risk: Potential breach assessment and risk level

Retention Status

WITHIN_RETENTION

Cannot delete

APPROACHING_END

< 1 year left

PAST_RETENTION

Can delete

DICOM Medical Imaging De-identification

Medical imaging files (DICOM format) contain embedded PHI in metadata tags. The platform detects and helps remove these identifiers for Safe Harbor compliance.

PHI Tags Monitored (11 High-Risk Tags)

(0010,0010) - PatientNameHIGH

(0010,0020) - PatientIDHIGH

(0010,0030) - PatientBirthDateHIGH

(0008,0090) - ReferringPhysicianNameHIGH

(0032,1032) - RequestingPhysicianHIGH

(0010,21C0) - PregnancyStatusHIGH

(0010,0040) - PatientSexMEDIUM

(0010,1010) - PatientAgeMEDIUM

(0008,0080) - InstitutionNameMEDIUM

(0008,1070) - OperatorNameMEDIUM

(0010,1030) - PatientWeightLOW

Zero-Upload Architecture: DICOM files are processed client-side. Only metadata tags are sent to the API for analysis - the actual image never leaves your device.

Safe Harbor De-identification (§ 164.514(b)(2))

The platform's HIPAA Reporter implements all 18 Safe Harbor identifiers required for de-identification:

1. Geographic subdivisions smaller than State

2. Names

3. All date elements (except year)

4. Telephone numbers

5. Fax numbers

6. Email addresses

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers

13. Device identifiers

14. Web URLs

15. IP addresses

16. Biometric identifiers

17. Full-face photographs

18. Any other unique identifier

Frequently Asked Questions

What happens if I miss the 30-day patient request deadline?

Missing the deadline is a HIPAA violation. Penalties can include:

Fines from $100 to $50,000 per violation
Maximum $1.5 million per year for repeated violations
Criminal penalties for willful neglect

The platform tracks deadlines and sends alerts to help you stay compliant.

Can I delete PHI disclosure logs before 6 years?

No. The platform enforces the 6-year retention requirement (§ 164.530(j)).

If you attempt to delete a log within the retention period, the system will block the deletion with an error message showing the scheduled deletion date.

Do I need a BAA with Scrub Metadata?

No. Scrub Metadata uses zero-knowledge architecture - your files are processed client-side and never uploaded to our servers.

However, if you use features that store data (BAA tracking, PHI logs), we offer a BAA for Enterprise Plus customers.

How do I export HIPAA compliance reports?

From the Healthcare Dashboard, you can export:

BAA Summary: All active/expired BAAs with expiration dates
Patient Rights Log: All requests with compliance status
PHI Disclosure Report: Full accounting of disclosures
HIPAA Compliance Package: Combined audit-ready report

Ready to Manage HIPAA Compliance?

Access your Healthcare Compliance Dashboard to manage BAAs, patient rights requests, and PHI disclosures.

Healthcare Dashboard Compliance Hub Back to Help Center