HIPAA Compliance Overview

What HIPAA Actually Requires (Technical Safeguards)

HIPAA does not require VPN or MFA. It requires reasonable safeguards:

Requirement	What it means	Our status
Encryption in transit	HTTPS everywhere	⚠️ Planned — Cloudflare
Encryption at rest	DB + files encrypted	⚠️ Partial
Access control	Only authorized people can log in	⚠️ In progress — Next-Auth
Audit logs	Who accessed/changed what, when	✅ Pipeline trace in SQLite
Automatic logoff	Session timeouts	⚠️ With Next-Auth
BAA with vendors	Signed agreements with AWS, GHL, Bedrock	❌ Not yet signed

Common HIPAA Violations (What Actually Gets Clinics in Trouble)

• Unencrypted data sent over HTTP (not HTTPS)
• Shared logins — no individual audit trail
• Using Google Drive / Dropbox without a BAA
• Unencrypted laptops with PHI
• No breach notification process

What We Store and Where

Data	Location	PHI?	Risk
Pipeline run metadata	SQLite runs table	Low — names only	Low
Step trace (input/output JSON)	SQLite steps table	Medium — biomarker values	Medium
Generated client PDF	/output/*.pdf	Yes — full report	High
Raw uploaded PDF	/tmp/ (transient)	Yes	Medium
GHL contact data	GoHighLevel servers	Yes	Handled by GHL
Biomarker parsing prompts	Bedrock (transient)	Yes — in-flight only	Low

Implementation Roadmap

Phase 1 — Now (no AWS admin needed)

• [ ] Tailscale for private network access
• [ ] Next-Auth login (individual accounts per staff member)
• [ ] Session timeout (30 min idle)

Phase 2 — Soon (one AWS admin ask)

• [ ] Open port 443 in AWS Security Group
• [ ] Cloudflare in front (free HTTPS, hides server IP)
• [ ] Nginx reverse proxy

Phase 3 — Before scaling

• [ ] BAA with AWS (free — request at aws.amazon.com/compliance)
• [ ] BAA with GoHighLevel (check enterprise plan)
• [ ] EBS disk encryption (AWS admin — enable on EC2 volume)
• [ ] Automated SQLite + PDF backups to S3

Phase 4 — At scale

• [ ] MFA (one config line in Next-Auth)
• [ ] Move secrets to AWS Secrets Manager
• [ ] Penetration test
• [ ] SOC 2 audit