Compliance

HIPAA is the foundation, not an afterthought.

HaloPT was built to meet the security and privacy requirements of the Health Insurance Portability and Accountability Act from day one. Every architectural decision, every access control, and every audit log exists because protecting protected health information is not optional. It is the floor.

BAA availableSOC 2 Type II · in progressSix-year audit retention

Compliance overview

HIPAA compliance is not a feature added to the platform. It is a requirement embedded in every layer, from infrastructure provisioning to application code, from employee onboarding to incident response. The controls described on this page represent our current security posture as of April 2026.

HaloPT operates as a business associate under HIPAA. Business Associate Agreements are executed with all customers who are covered entities and process protected health information on their behalf. The compliance program is designed to support customers in meeting their obligations under the Privacy Rule, Security Rule, and Breach Notification Rule.

Scope

This page describes technical and organizational measures. For the full description of data handling practices, see the Privacy Policy. For the terms governing our role as a business associate, see the Terms of Service.

Security measures

The controls below are the technical safeguards in place to protect PHI at every stage of its lifecycle.

Encryption in transit

TLS 1.3

All data transmitted between clients and our infrastructure is encrypted using TLS 1.3. This includes API requests, real-time messaging, file uploads, and voice recording streams. HSTS is enforced with a max-age of 31,536,000 seconds and the platform maintains an A+ rating on SSL Labs.

Encryption at rest

AES-256

Stored data is encrypted using AES-256. This covers relational databases, object storage, and application caches. Database encryption keys are managed through AWS KMS with automatic rotation every 90 days. Each tenant holds a unique data encryption key.

Access controls

RBAC + MFA

Role-based access enforces least-privilege across every user type. Therapists, patients, administrators, and referring physicians each receive scoped permissions. Multi-factor authentication is required for all therapist and administrator accounts.

Audit logging

Immutable

Every action is logged with user identity, organization context, IP address, timestamp, and action detail. Audit logs are written to append-only storage with cryptographic integrity verification, retained for at least six years, and surfaced to administrators in the portal.

Tenant isolation

Row-level

Each organization operates within a logically isolated tenant. Data is scoped at the organization level through enforced row-level security in PostgreSQL. Cross-tenant access is prevented at the application and database layers.

Breach notification

≤ 72 hours

In the event of a confirmed breach of unsecured PHI, affected customers are notified within 72 hours of discovery. The notification covers the nature of the breach, categories of affected individuals, likely consequences, and remediation taken.

How HIPAA requirements are met

The HIPAA Security Rule requires three categories of safeguards. Below is how HaloPT addresses each.

Administrative safeguards

Security officer designation

A designated Privacy Officer and Security Officer are responsible for implementing and overseeing the HIPAA program. Both report directly to executive leadership.

Workforce training

All employees complete HIPAA and security awareness training on hire and annually. Production access is granted only after completion and background verification.

Risk assessment

Risk assessments are conducted at least annually and whenever significant infrastructure or application changes occur. Findings are tracked to remediation and reviewed by leadership.

Contingency planning

Disaster recovery and business continuity plans are tested quarterly. Automated backups span multiple availability zones with documented RTO and RPO targets.

Physical safeguards

Facility access controls

Infrastructure runs in AWS data centers carrying SOC 2 Type II, ISO 27001, and ISO 27017 certifications, with badge access, biometric verification, and 24/7 monitoring.

Workstation security

Employee workstations are managed through MDM with full-disk encryption, automatic locking, and remote wipe. Development work happens on provisioned machines with no local PHI.

Device controls

Personal devices are prohibited from accessing production. Company-issued devices are inventoried, encrypted, and remote-wiped on separation.

Technical safeguards

Access controls

Unique user IDs, emergency access procedures, automatic logoff after 30 minutes of inactivity, and session-token rotation every 24 hours control access to ePHI.

Audit controls

Hardware, software, and procedural mechanisms record activity in systems containing PHI. Every access event is correlated with user identity, IP, and timestamp.

Integrity controls

Records carry immutable audit trails. Critical documents are stored with cryptographic checksums to detect alteration.

Transmission security

TLS 1.3 is enforced at every network boundary. Internal service-to-service communication uses mutual TLS.

Business Associate Agreement

Every customer that qualifies as a covered entity under HIPAA receives a Business Associate Agreement. The BAA is included automatically with every Growth and Enterprise subscription and is available on request for Starter customers.

What the BAA covers

  • Permitted uses and disclosures of PHI by HaloPT as a business associate
  • Obligation to implement appropriate safeguards per the HIPAA Security Rule
  • Requirement to report breaches of unsecured PHI to the covered entity
  • Obligation to ensure subcontractors who handle PHI sign BAAs
  • Patient rights to access, amendment, and accounting of disclosures
  • Return or destruction of PHI upon termination of the agreement
  • Authorization for the Secretary of HHS to audit HaloPT for compliance

Review the complete BAA framework at /baa.

Audit logging

Every action within the platform is logged. Logging is not selective. Authentication events, data access, record modifications, file downloads, message sends, and administrative configuration changes are all written to the audit trail.

Each audit record contains

USER

Authenticated user ID and role

ORGANIZATION

Tenant context

IP ADDRESS

Source IP of the request

TIMESTAMP

ISO 8601 UTC

ACTION

Create, read, update, delete

RESOURCE

Entity type and identifier

OUTCOME

Success, failure, denied

USER AGENT

Client application detail

Audit logs are retained for at least six years and are surfaced to organization administrators through the admin portal. Logs export as JSON or CSV and forward to customer SIEMs via the API.

Patient rights under HIPAA

The HIPAA Privacy Rule grants patients specific rights regarding their PHI. The platform provides tools that enable covered entity customers to fulfill those obligations within the timelines required.

Right of access

Patients may inspect and obtain a copy of their PHI. The platform supports the 30-day response window required by HIPAA, with one 30-day extension on written notice.

Right to amendment

Patients may request amendments when records are inaccurate or incomplete. The platform tracks requests, manages the 60-day timeline, and preserves the original record.

Accounting of disclosures

Patients may receive an accounting of certain disclosures of their PHI. Detailed disclosure logs cover up to six years of history.

Restriction requests

Patients may request restrictions on uses or disclosures for treatment, payment, or operations. The platform supports configurable record- or field-level restrictions.

Confidential communications

Patients may request alternative means or locations for communication. Notification preferences and channel routing are configurable per patient.

Notice of privacy practices

The platform supports distribution and acknowledgment tracking of the covered entity’s Notice of Privacy Practices through onboarding workflows.

Breach notification

If a breach of unsecured PHI occurs, the platform follows a documented incident response process that ensures timely notification to affected customers.

Response process

01

Detection and containment

Automated monitoring detects anomalous access patterns. On confirmation, affected systems are isolated and access is restricted to the incident response team.

02

Investigation

The Security Officer leads a forensic investigation to determine scope, the categories of PHI affected, the number of individuals impacted, and intent.

03

Customer notification

Affected customers are notified within 72 hours of confirmation. The notice covers date of breach, date of discovery, types of PHI involved, and recommended mitigation.

04

Remediation and review

After containment, root-cause analysis drives corrective actions and control updates. A post-incident report is provided to affected customers.

Documentation

Request the compliance package.

The package includes the most recent security assessment summary, penetration test summary, and infrastructure architecture overview. Send it to your compliance team for review.

Request documentation

Contact compliance

For questions about the HIPAA program, to request a Business Associate Agreement, or to discuss controls with your compliance team, contact us directly.

Compliance email
compliance@halopt.com
Response time

Two business days.