HIPAA Compliance

ChiroInABox is committed to protecting the privacy and security of Protected Health Information (PHI). As a Business Associate under HIPAA, we implement comprehensive safeguards to ensure the confidentiality, integrity, and availability of all PHI entrusted to our platform.

1. Our Role as a Business Associate

Under HIPAA, ChiroInABox operates as a Business Associate to covered entities (healthcare providers) who use our platform. We enter into a Business Associate Agreement (BAA) with each customer, outlining our responsibilities for protecting PHI. The BAA is available upon request and is required before any PHI is processed through our platform.

2. Administrative Safeguards

We maintain comprehensive administrative controls including:

• Security Officer: Designated HIPAA Security Officer responsible for developing and implementing security policies
• Workforce Training: All employees complete HIPAA training upon hire and annually thereafter
• Access Management: Role-based access controls with least-privilege principles
• Background Checks: All employees with access to PHI undergo background verification
• Incident Response: Documented procedures for identifying, reporting, and responding to security incidents
• Contingency Planning: Business continuity and disaster recovery plans tested regularly
• Vendor Management: All subcontractors with PHI access sign Business Associate Agreements

3. Physical Safeguards

Our infrastructure includes robust physical security measures:

• Data Center Security: SOC 2 certified cloud infrastructure with 24/7 security monitoring
• Access Controls: Multi-factor authentication required for all facility and system access
• Workstation Security: Encrypted workstations with automatic screen locks and device management
• Device Disposal: Secure data destruction procedures for decommissioned equipment
• Environmental Controls: Redundant power, cooling, and fire suppression systems

4. Technical Safeguards

We implement industry-leading technical controls to protect PHI:

4.1 Encryption

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• End-to-end encryption for sensitive communications
• Encrypted database backups with secure key management

4.2 Access Controls

• Unique user identification for all users
• Multi-factor authentication (MFA) available and encouraged
• Role-based access control (RBAC) with configurable permissions
• Automatic session timeout after periods of inactivity
• Password policies enforcing complexity and rotation

4.3 Audit Controls

• Comprehensive audit logging of all PHI access and modifications
• Tamper-evident audit trails retained for minimum 6 years
• Real-time monitoring and alerting for suspicious activity
• Regular review and analysis of audit logs

5. Breach Notification

In the event of a breach involving unsecured PHI, ChiroInABox will notify affected covered entities without unreasonable delay and no later than 60 days after discovery, as required by the HIPAA Breach Notification Rule. Our notification will include:

• Description of the breach and types of information involved
• Steps individuals should take to protect themselves
• What we are doing to investigate and mitigate the breach
• Contact information for questions

6. Data Backup and Recovery

We maintain robust data protection and recovery capabilities:

• Automated daily backups with point-in-time recovery
• Geographically distributed backup storage
• Regular backup testing and validation
• Recovery time objective (RTO) of 4 hours
• Recovery point objective (RPO) of 1 hour

7. Security Assessments

We continuously validate our security posture through:

• Annual SOC 2 Type II audits by independent third parties
• Regular penetration testing by qualified security firms
• Continuous vulnerability scanning and remediation
• Annual HIPAA security risk assessments
• Code security reviews and static analysis

8. Customer Responsibilities

While we provide a HIPAA-compliant platform, covered entities using ChiroInABox remain responsible for:

• Signing a Business Associate Agreement before processing PHI
• Configuring appropriate access controls for their users
• Training their workforce on HIPAA requirements
• Using strong, unique passwords and enabling MFA
• Reporting suspected security incidents promptly
• Ensuring patient authorizations are obtained when required
• Maintaining their own HIPAA compliance program

9. Subcontractors

We carefully vet all subcontractors who may have access to PHI. Each subcontractor is required to sign a Business Associate Agreement and demonstrate HIPAA compliance. Our key infrastructure partners include SOC 2 certified cloud providers and payment processors.

10. Data Retention and Disposal

PHI is retained in accordance with applicable laws and your organization's retention policies. Upon termination of services, we provide a reasonable period to export your data. After this period, data is securely destroyed using industry-standard methods that render recovery impossible, with certification of destruction available upon request.

11. Updates to This Policy

We may update this HIPAA Compliance page as we enhance our security practices or as regulations change. Material changes will be communicated to customers via email and through the platform.

12. Contact Information

For questions about our HIPAA compliance practices, to request a BAA, or to report a security concern: