HIPAA Compliance
Descripción general
HIPAA (the US Health Insurance Portability and Accountability Act) governs how Protected Health Information (PHI) is handled in the United States. vitalera provides the technical, administrative, and physical safeguards required under the HIPAA Security Rule and operates as a Business Associate for customers processing PHI.
HIPAA is a law, not a certification. No software can be "HIPAA certified." Compliance is a shared responsibility between the Covered Entity (the customer) and the Business Associate (vitalera), governed by a signed Business Associate Agreement (BAA).
Roles
| Role | Who | Responsibility |
|---|---|---|
| Covered Entity | The healthcare provider, health plan, or clearinghouse using vitalera | Owns the patient relationship, obtains patient authorization, determines lawful purposes of PHI use |
| Business Associate | FOLLOWHEALTH S.L. (vitalera platform operator) | Processes PHI on behalf of the Covered Entity under the BAA, implements safeguards, reports incidents |
| Subcontractors | AWS and other infrastructure providers | Covered by downstream BAAs between vitalera and each subcontractor where applicable |
Business Associate Agreement (BAA)
A signed BAA is required before any customer processes PHI through vitalera. Contact legal@vitalera.io to request our standard BAA template or to negotiate terms for enterprise deployments.
The vitalera BAA covers:
- Permitted uses and disclosures of PHI
- Safeguards required of vitalera as a Business Associate
- Breach notification obligations and timelines
- Subcontractor flow-down requirements
- Termination conditions and PHI return/destruction
Salvaguardas de la Security Rule
The HIPAA Security Rule (45 CFR 164 Subpart C) requires administrative, physical, and technical safeguards for electronic PHI (ePHI). vitalera implements each of these directly through the controls defined in our ISO 27001:2022-certified Information Security Management System.
Technical Safeguards (45 CFR 164.312)
| Control | Implementation |
|---|---|
| Access Control | Unique user identification, role-based access control (RBAC), automatic session timeouts |
| Audit Controls | Immutable audit logs for all access to PHI, retained and monitored for anomalies |
| Integrity | Cryptographic hashing, database-level integrity constraints, immutable event logs |
| Person or Entity Authentication | Multi-factor authentication (MFA) for professionals, JWT with short-lived tokens, DPoP for the SDK |
| Transmission Security | TLS 1.2+ for all network communication, end-to-end encryption for sensitive payloads |
Administrative Safeguards (45 CFR 164.308)
| Control | Implementation |
|---|---|
| Security Management Process | Continuous risk analysis under ISO 27001:2022, annual internal audit, documented risk treatment plan |
| Assigned Security Responsibility | Designated Information Security Officer and Data Protection Officer |
| Workforce Security | Background checks, role-based access provisioning, formal onboarding and offboarding procedures |
| Information Access Management | Least-privilege principle, access reviews, separation of duties between development and production |
| Security Awareness and Training | Mandatory annual security and privacy training for all personnel handling PHI |
| Security Incident Procedures | Documented incident response plan, 24/7 monitoring, structured escalation and communication paths |
| Contingency Plan | Daily automated backups, point-in-time recovery, multi-region disaster recovery, documented runbooks |
| Business Associate Contracts | Downstream BAAs in place with all subcontractors that process PHI |
Physical Safeguards (45 CFR 164.310)
vitalera runs on AWS infrastructure in the EU (eu-west-1, Ireland) with US region availability on request. AWS data centers implement physical safeguards certified under SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018:
- Facility access controls with 24/7 security, biometric authentication, and video surveillance
- Workstation use policies enforced on all vitalera personnel devices
- Device and media controls, including secure disposal of hardware and cryptographic erasure of storage
Cifrado de PHI
| State | Implementation |
|---|---|
| At rest | AES-256 via AWS KMS, applied to managed databases, object storage, and backups |
| In transit | TLS 1.2+ for all API, SDK, webhook, and administrative traffic |
| Key management | Keys managed in AWS KMS with automatic rotation and hardware-based protection |
Notificación de brechas
vitalera complies with the HIPAA Breach Notification Rule (45 CFR 164.400–414) and, where applicable, the stricter HITECH Act requirements:
- Customers are notified of any discovered breach of unsecured PHI within 60 days of discovery, often significantly sooner
- Notifications include the nature of the breach, types of PHI involved, mitigation actions taken, and recommended steps for the Covered Entity
- vitalera supports the Covered Entity's own breach notification obligations to affected individuals, the Office for Civil Rights (OCR), and (if applicable) the media
Residencia de datos para clientes de EE. UU.
HIPAA does not mandate US-based data residency. However, vitalera offers deployment in the US region for customers with internal policies requiring domestic data storage. Contact support@vitalera.io to discuss region selection as part of onboarding.
Responsabilidades del cliente
As the Covered Entity, the customer is responsible for:
- Obtaining patient authorization where required
- Configuring appropriate access policies within vitalera for their workforce
- Fulfilling their own obligations under the HIPAA Privacy Rule, including the Notice of Privacy Practices and responding to patient rights requests
- Training their own workforce on HIPAA and vitalera's security features
- Reporting security incidents on the customer side to vitalera promptly
Cumplimiento relacionado
- ISO 27001 — Information security controls that underpin HIPAA Security Rule safeguards
- SOC 2 — Trust Service Criteria alignment for enterprise vendor reviews
- GDPR — Complementary obligations for EU data subjects
- Data Security — Technical security architecture overview
Contacto
For BAA requests, HIPAA questions, or security reviews, contact legal@vitalera.io or support@vitalera.io.