Compliance

HIPAA compliance is our foundation, not an afterthought

We built HaloPT to meet the security and privacy requirements of the Health Insurance Portability and Accountability Act from day one. Every architectural decision, every access control, and every audit log exists because protecting protected health information is not optional for us. It is the foundation of this platform.

Compliance Overview

HIPAA compliance is not a feature we add. It is a requirement embedded in every layer of our architecture, from infrastructure provisioning to application code, from employee onboarding to incident response. The controls described on this page represent our current security posture as of April 2026.

HaloPT operates as a business associate under HIPAA. We execute Business Associate Agreements with all customers who are covered entities and process protected health information on their behalf. Our compliance program is designed to support our customers in meeting their obligations under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Scope

This page describes technical and organizational measures. For a complete description of our data handling practices, see our Privacy Policy. For the terms governing our role as a business associate, see our Terms of Service.

Security Measures

The controls below represent the technical safeguards we have implemented to protect protected health information at every stage of its lifecycle.

Encryption in Transit

TLS 1.3

All data transmitted between clients and our infrastructure is encrypted using TLS 1.3. This includes API requests, WebSocket connections for real-time messaging, file uploads, and voice recording streams. We enforce HSTS with a max-age of 31536000 seconds and maintain an A+ rating on SSL Labs.

Encryption at Rest

AES-256

All stored data is encrypted using AES-256 encryption. This includes relational databases (Amazon RDS), object storage (Amazon S3), and application-level caches. Database encryption keys are managed through AWS KMS with automatic key rotation every 90 days. Each tenant has a unique data encryption key.

Access Controls

RBAC + MFA

Role-based access control enforces the principle of least privilege across all user types. Therapists, patients, administrators, and referring physicians each have scoped permissions. Multi-factor authentication is required for all therapist and administrator accounts using TOTP-based authenticators or hardware security keys.

Audit Logging

Immutable Logs

Every action is logged with user identity, organization context, IP address, timestamp, and action details. Audit logs are written to append-only storage with cryptographic integrity verification. Logs are retained for a minimum of 6 years in accordance with HIPAA requirements and are available to customers through the admin portal.

Tenant Isolation

Org-Scoped Data

Each organization operates within a logically isolated tenant. Data is scoped at the organization level through enforced row-level security policies in PostgreSQL. Cross-tenant data access is prevented at the application and database layers. Shared infrastructure resources are monitored for cross-tenant side-channel risks.

Breach Notification

Within 72 Hours

In the event of a confirmed breach of unsecured PHI, affected customers are notified within 72 hours of discovery. The notification includes the nature of the breach, categories of affected individuals and data, likely consequences, and remediation measures taken. This supports customer obligations under the HIPAA Breach Notification Rule.

How We Meet HIPAA Requirements

The HIPAA Security Rule requires covered entities and business associates to implement three categories of safeguards. Below we describe how HaloPT addresses each category.

Administrative Safeguards

Security Officer Designation

A designated Privacy Officer and Security Officer are responsible for developing, implementing, and overseeing our HIPAA compliance program. Both officers report directly to executive leadership.

Workforce Training

All employees complete HIPAA and security awareness training upon hire and annually thereafter. Access to production systems and customer data is granted only after training completion and background verification.

Risk Assessment

Formal risk assessments are conducted at least annually and whenever significant infrastructure or application changes occur. Findings are documented, tracked to remediation, and reviewed by leadership.

Contingency Planning

Documented disaster recovery and business continuity plans are tested quarterly. We maintain automated backups with 30-day retention across multiple AWS availability zones with defined RTO and RPO targets.

Physical Safeguards

Facility Access Controls

Our infrastructure is hosted in AWS data centers that maintain SOC 2 Type II, ISO 27001, and ISO 27017 certifications. Physical access is restricted to authorized AWS personnel through badge access, biometric verification, and 24/7 security monitoring.

Workstation Security

All employee workstations are managed through mobile device management with full-disk encryption, automatic screen locking, and remote wipe capability. Development work is conducted on provisioned machines with no local storage of PHI.

Device Controls

Personal devices are prohibited from accessing production environments. Company-issued devices are inventoried, encrypted, and subject to remote lock and wipe procedures upon employee separation.

Technical Safeguards

Access Controls

Unique user IDs, emergency access procedures, automatic logoff after 30 minutes of inactivity, and encryption mechanisms control access to electronic protected health information. Session tokens are rotated every 24 hours.

Audit Controls

Hardware, software, and procedural mechanisms record and examine activity in information systems containing PHI. All access events are correlated with user identity, IP address, and timestamp.

Integrity Controls

Mechanical, electronic, and procedural safeguards protect PHI from improper alteration or destruction. Database records include immutable audit trails. Critical documents are stored with cryptographic checksums.

Transmission Security

Technical security measures guard against unauthorized access to PHI transmitted over electronic communications networks. TLS 1.3 is enforced at all network boundaries. Internal service-to-service communication uses mutual TLS.

Business Associate Agreement

Every customer who qualifies as a covered entity under HIPAA receives a Business Associate Agreement. The BAA is not an optional add-on. It is included automatically with every Professional and Enterprise subscription and is available upon request for Essential plan customers.

What the BAA Covers

  • Permitted uses and disclosures of PHI by HaloPT as a business associate
  • Obligation to implement appropriate safeguards per the HIPAA Security Rule
  • Requirement to report breaches of unsecured PHI to the covered entity
  • Obligation to ensure subcontractors who handle PHI sign BAAs
  • Patient rights to access, amendment, and accounting of disclosures
  • Return or destruction of PHI upon termination of the agreement
  • Authorization for the Secretary of HHS to audit HaloPT for compliance

Review our complete BAA framework at /baa.

Audit Logging

Every action within the HaloPT platform is logged. We do not log selectively. We log everything. This includes authentication events, data access, record modifications, file downloads, message sends, and administrative configuration changes.

Each audit record contains:

User

Authenticated user ID and role

Organization

Tenant/org-scoped context

IP Address

Source IP of the request

Timestamp

ISO 8601 UTC timestamp

Action

Create, read, update, delete

Resource

Entity type and identifier

Outcome

Success, failure, denied

User Agent

Client application details

Audit logs are retained for a minimum of 6 years and are available to organization administrators through the admin portal. Logs are exported in JSON or CSV format for compliance reporting and can be forwarded to SIEM systems via our API.

Patient Rights Under HIPAA

The HIPAA Privacy Rule grants patients specific rights regarding their protected health information. HaloPT provides tools that enable our covered entity customers to fulfill these obligations within the timelines required by law.

Right of Access

Patients have the right to inspect and obtain a copy of their protected health information. Our platform provides tools for covered entities to respond to access requests within the 30-day timeframe required by HIPAA, with one 30-day extension available with written notice.

Right to Amendment

Patients may request amendments to their health records if they believe information is inaccurate or incomplete. The platform tracks amendment requests, manages the 60-day response timeline, and maintains the original record alongside any requested changes.

Accounting of Disclosures

Patients have the right to receive an accounting of certain disclosures of their PHI made by the covered entity. Our platform maintains detailed disclosure logs that customers can use to generate accounting reports covering up to 6 years of history.

Restriction Requests

Patients may request restrictions on how their PHI is used or disclosed for treatment, payment, or healthcare operations. While covered entities are not always required to agree, the platform supports configuration of granular access restrictions that can be applied at the record or field level.

Confidential Communications

Patients may request that communications about their PHI be made through alternative means or at alternative locations. The platform supports configurable notification preferences and communication channel routing to accommodate these requests.

Notice of Privacy Practices

Covered entities must provide patients with a notice of their privacy practices. Our platform enables organizations to distribute and track acknowledgment of their Notice of Privacy Practices through patient onboarding workflows.

Breach Notification

If a breach of unsecured protected health information occurs, we have a documented incident response process that ensures timely notification to affected customers.

Our Breach Response Process

1

Detection and Containment

Automated monitoring systems detect anomalous access patterns. Upon confirmation of an incident, affected systems are isolated and access is restricted to the incident response team.

2

Investigation

The Security Officer leads a forensic investigation to determine the scope of the breach, the categories of PHI affected, the number of individuals impacted, and whether the breach was intentional or inadvertent.

3

Customer Notification

Affected customers are notified within 72 hours of confirmation. The notification includes the date of the breach, date of discovery, types of PHI involved, and steps the customer should take to mitigate harm.

4

Remediation and Review

After containment, we conduct a root cause analysis, implement corrective actions, and update our security controls to prevent recurrence. A post-incident report is provided to affected customers.

Request Our Compliance Documentation

We provide detailed compliance documentation including our most recent security assessment, penetration test summary, and infrastructure architecture overview. Contact our team to request a copy.

Request Documentation

Contact Our Compliance Team

For questions about our HIPAA compliance program, to request a Business Associate Agreement, or to discuss our security controls with your compliance team, contact us directly.

Compliance Email

compliance@halopt.com

Response Time

We respond to compliance inquiries within 2 business days.