HIPAA (backend)

🟢 100%. Compliant. Backend.

• Server Management

  • We run our own self-hosted servers

  • We run everything in a fully compliant 100% Private Network

  • we are responsible for ALL security configurations (firewalls, updates, application security).

  • We have done all of those and more

• Security Software

  • We have installed and configured our own security software (antivirus, intrusion detection).

• Firewalls and antivirus alone are not enough for HIPAA

  • We know this. We have taken steps to close all gaps.

  • It's a comprehensive framework requiring policies, procedures, and specific technical safeguards.

  • We have these in place.

🟢 Specific. Services. Implemented.

• private networking

• dedicated servers/colocation

• configuring advanced security (encryption, access controls, logging)

• signing a Business Associate Agreement (BAA) with Contabo

• and implementing strict protocols for

  • data handling

  • access

  • backup

  • and disaster recovery

Compliance is a shared responsibility requiring technical setup and robust policies for ePHI.

Key Steps Taken:

• The Right Infrastructure:

• Dedicated Servers/Colocation

  • We have implemented dedicated servers for greater control and isolation, rather than shared hosting, as PHI needs secure, isolated environments.

• Private Networking

  • We use private network feature to keep our server traffic secure and separate from the public internet.

• Implement Technical Safeguards:

• Encryption

  • We encrypt all Protected Health Information (PHI) both "at rest" (on the server) and "in transit" (using SSL/TLS for web traffic).

• Access Controls

  • We have set up strong user authentication (2FA), unique logins, and role-based access to limit who can see ePHI.

• Audit Logs & Monitoring: We have enable detailed logging of all access and activity on the server and monitor for suspicious events in real-time.

• Secure File Transfer

  • We use SFTP (Secure File Transfer Protocol) for all data transfers.

  • We also use SSH (Secure Shell), a network protocol that establishes encrypted connections between all our computers for secure remote access. It operates on TCP port 22 and provides authentication, encryption, and integrity to protect data transmitted over unsecured networks.

• Address Administrative & Physical Safeguards:

• Risk Assessments

  • Conduct regular, documented risk assessments of your server environment.

• Data Backup & Recovery

  • We implement secure, regular backups with tested disaster recovery plans for your ePHI.

• Breach Notification Plan

  • We have clear procedures for detecting, responding to, and reporting data breaches

• Zero Trust Architecture

• Business Associate Agreement (BAA)

🟢 HIPAA-Compliant. Frontend.

🟢 PCI DSS. SOC2. Compliance.

🟢 Compliant. Subprocessors.