HIPAA Compliance Policy

Commitment & Scope

When used by covered entities and their business associates, AutoMedic operates with HIPAA-aligned controls. Our architecture minimizes exposure to protected health information (PHI) and ensures that required safeguards are in place across storage, transmission, and logging. We do not claim to provide legal advice; organizations should validate configurations against their internal compliance programs and applicable law.

PHI Handling & Data Minimization

• Local storage: Patient and task data, including chat histories, are stored on the user’s machine in a local database encrypted with AES-256 encryption.
• No PHI in telemetry/audit: Operational and audit logs exclude PHI and do not capture website content or AI chat text. Audit entries include metadata only (for example: route, method, identity claims, payload size, and a cryptographic hash of payload bytes for integrity).
• Browser automation on-device: Client app drives the user’s local Chrome instance. Interactions occur on the user’s machine; AutoMedic does not collect the pages you visit or the content you extract.

Technical Safeguards (HIPAA Security Rule)

• Encryption at rest: Local data is encrypted with secure AES-256 encryption. Cloud databases, used for logging and audit trails, are protected by Azure's strong and industry-leading managed encryption.
• Encryption in transit: All communications with backends and APIs are protected via SSL/TLS.
• Secure backends: A proxy backend mediates API requests, enforcing authentication and HIPAA-friendly audit logging. Secrets (including JWT keys) are stored with strong hardware-backed encryption.
• Access control & least privilege: Backend services enforce authenticated access via JWT verification; Cloud Database access is restricted with role-based controls and least-privilege principles.
• Process isolation: Each agent tab maintains a dedicated browser context and isolated session. Application's internal processes communicate using secure IPC channels.
• Signed builds: Application packaging includes code signing (Windows) and notarization (macOS) to protect distribution integrity.

Administrative Safeguards

• Authentication & authorization: Backends validate JWTs against configured issuers/keys, enforcing authenticated access to protected APIs. Authorization is enforced at the route level.
• Audit logging: The application backend records all audit events in a HIPAA-aligned manner by writing them to a secured cloud database. No protected health information (PHI) is ever stored; instead, the system persists only cryptographic integrity hashes derived from the original payload bytes. The audit pipeline operates through a strictly one-directional, write-only connection, ensuring that no component (internal or external) can read, modify, or extract the stored entries. This architecture provides exceptionally strong protection, making the audit logs inaccessible even in the event of a highly sophisticated or fully compromised attack against the application environment. Logs can be reviewed for security events thorugh access controlled methods.
• Operational security: We maintain monitoring and alerting for abnormal activity and follow change management practices to patch and update dependencies in a timely manner.
• Configuration transparency: Organizations can disable crash reporting and tune rate limits to meet policy requirements. Two-factor authentication for healthcare portals is noted as a roadmap item along with OS-level protections (BitLocker/FileVault).

Physical Safeguards

• User device protections: AutoMedic relies on the security of the user’s workstation. We recommend full‑disk encryption (BitLocker/FileVault), strong device passcodes, and enterprise controls for endpoint management.
• Azure datacenters: Secure backends run on Microsoft Azure infrastructure with controlled physical access, environmental protections, and platform security.

Breach Notification & Incident Response

If a security incident involving PHI is suspected, we will follow HIPAA’s Breach Notification Rule: assess scope and risk, contain and remediate, and notify affected covered entities and applicable parties within the required timelines. Audit logs, integrity hashes, and monitoring support rapid investigation.

SOC & Industry Standards

• Azure platform certifications: Microsoft Azure maintains SOC and ISO certifications (e.g., SOC 1/SOC 2 and ISO 27001/27018). AutoMedic’s secure backends run on Azure and benefit from these platform controls.
• AutoMedic alignment: AutoMedic aligns to SOC 2 trust service criteria (security, availability, confidentiality) in design and operations. Formal SOC 2 attestation for AutoMedic may be part of the roadmap; current claims are limited to alignment and use of SOC‑certified infrastructure.

How We Adhere to HIPAA

• Privacy Rule (minimum necessary): We minimize data collection; local storage retains only what users create; backends avoid PHI in logs.
• Security Rule (admin/physical/technical): Administrative policies (auth, audit, monitoring), physical protections (Azure datacenters; device best practices), and technical safeguards (encryption, secure IPC, least privilege) are implemented.
• Breach Notification Rule: Documented procedures support timely detection, assessment, and notification.

Business Associate Agreement (BAA)

Alanos enters into Business Associate Agreements with covered entities and business associates to support HIPAA compliance. A BAA is included with every subscription of the AutoMedic app and outlines responsibilities, permitted uses and disclosures, safeguards, breach notification procedures, and confidentiality obligations. We collaborate with each organization’s compliance team during onboarding to ensure the agreement meets their requirements.

Contact

For BAAs or compliance questions, please contact us. We will collaborate with your compliance team to validate configurations and documentation.