HIPAA Compliance
✓ HIPAA-Compliant Architecture
EHR Note Buddy is designed from the ground up with HIPAA compliance as a core principle. Our architecture ensures that Protected Health Information (PHI) is protected at every stage of the documentation process.
1. Overview
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting patient health information. EHR Note Buddy implements comprehensive safeguards to ensure compliance with HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements.
2. PHI Protection Strategy
2.1 Local-First Storage
Zero PHI on Servers: All patient data, including names, evaluation summaries, and clinical notes, is stored exclusively in your browser's local IndexedDB. We never transmit or store PHI on our servers.
2.2 Automatic PHI Scrubbing
Before any text is sent to our AI service for content generation, all PHI is automatically removed using our proprietary scrubbing technology:
- ✓ Patient names (context-aware frequency-based detection)
- ✓ Dates of birth and visit dates (all formats)
- ✓ Phone numbers (all US formats)
- ✓ Email addresses
- ✓ Social Security numbers
- ✓ Medical record numbers
- ✓ Medicare/Medicaid numbers
- ✓ Addresses (comprehensive US address formats)
- ✓ Ages (all formats)
- ✓ Any other unique identifying numbers
3. Technical Safeguards (HIPAA Security Rule)
3.1 Access Control
- Unique User Identification: Each user has a unique Firebase account
- Automatic Logoff: Firebase sessions expire after period of inactivity
- Encryption: All data transmission uses TLS 1.2+ encryption
3.2 Audit Controls
- Usage logs track authentication events
- Error logs are PHI-scrubbed before storage
- System activity monitoring for security events
3.3 Integrity Controls
- Data validation at input and output stages
- Checksums verify data integrity
- Version control for code changes
3.4 Transmission Security
- TLS 1.2+ encryption for all data in transit
- Certificate pinning for API connections
- Encrypted authentication tokens
4. Administrative Safeguards
4.1 Security Management
- Risk assessments conducted regularly
- Security incident procedures documented
- Contingency planning for system failures
4.2 Workforce Security
- Background checks for team members with system access
- HIPAA training for all personnel
- Termination procedures revoke access immediately
4.3 Information Access Management
- Role-based access controls
- Principle of least privilege
- Regular access reviews
5. Physical Safeguards
- Cloud Infrastructure: Hosted on Google Cloud Platform with SOC 2 Type II certification
- Facility Access: Data centers with 24/7 security monitoring
- Device Security: Chrome extension runs in sandboxed environment
6. Business Associate Agreements (BAAs)
6.1 Third-Party Services
We have Business Associate Agreements with all service providers that may access PHI:
- ✓ Google Cloud Platform with Assured Workloads - Infrastructure hosting (BAA in place)
- ✓ Firebase (Google) - Authentication only, no PHI stored (BAA in place)
- ✓ Google Vertex AI with Assured Workloads - HIPAA-compliant AI processing, receives only de-identified text (BAA in place)
6.2 Your BAA with EHR Note Buddy
Healthcare providers using our Service for PHI may request a Business Associate Agreement. Contact [email protected] to execute a BAA.
7. Breach Notification
7.1 Breach Definition
A breach is an impermissible use or disclosure that compromises the security or privacy of PHI.
7.2 Notification Procedures
In the event of a breach affecting PHI:
- Affected users will be notified within 60 days
- Notification includes nature of breach and steps to protect information
- Required regulatory bodies will be notified per HIPAA requirements
7.3 Mitigation
We maintain incident response procedures to identify, contain, and mitigate breaches quickly.
8. Patient Rights (HIPAA Privacy Rule)
As a healthcare provider using our Service, you remain responsible for honoring patient rights:
- Right to access their health information
- Right to request amendments
- Right to an accounting of disclosures
- Right to request restrictions
- Right to confidential communications
9. Minimum Necessary Standard
Our Service is designed to access only the minimum necessary PHI:
- AI service receives only de-identified text (no PHI)
- Cloud services receive only authentication data (no PHI)
- Analytics exclude all PHI
10. Data Retention and Disposal
10.1 User Data
- Patient Data: Stored locally until you delete it
- Account Data: Retained while account is active
- Audit Logs: Retained for 6 years
10.2 Secure Disposal
- Data deletion requests honored within 30 days
- Secure deletion methods prevent recovery
- Certification of destruction available upon request
11. Regular Compliance Reviews
- Annual HIPAA security risk assessments
- Quarterly policy reviews and updates
- Continuous monitoring of security controls
- Third-party security audits
12. User Responsibilities
While we provide HIPAA-compliant infrastructure, you are responsible for:
- Reviewing and verifying all AI-generated content
- Maintaining device security (password protection, encryption)
- Not sharing account credentials
- Reporting suspected security incidents
- Training your staff on proper use
- Maintaining your own HIPAA compliance program
13. Compliance Certifications
- ✓ Infrastructure hosted on HIPAA-compliant Google Cloud Platform
- ✓ Business Associate Agreements with all relevant vendors
- ✓ Regular security audits and penetration testing
- ✓ Documented policies and procedures
14. Questions or Concerns?
If you have questions about our HIPAA compliance or need to report a security concern:
Privacy Officer: [email protected]
Security Team: [email protected]
Compliance: [email protected]
General Support: [email protected]