HIPAA Compliance Overview
What HIPAA actually requires, what applies to Protocol Health Club, and the implementation roadmap.
What HIPAA Actually Requires
HIPAA does not require VPN or MFA. It requires "reasonable safeguards" — what counts as reasonable depends on your risk level and scale.
| Requirement | What it means | Status |
|---|---|---|
| Encryption in transit | HTTPS everywhere | ⚠️ Planned — Cloudflare |
| Encryption at rest | DB + files encrypted | ⚠️ Partial |
| Access control | Individual logins per staff member | ⚠️ In progress — Next-Auth |
| Audit logs | Who accessed/changed what, when | ✅ Pipeline trace in SQLite |
| Automatic logoff | Session timeouts | ⚠️ With Next-Auth |
| BAA with vendors | Signed agreements with AWS, GHL, Bedrock | ❌ Not yet signed |
Common HIPAA Violations
What actually gets clinics in trouble — not missing MFA, but:
- Unencrypted data sent over HTTP (not HTTPS)
- Shared logins — no individual audit trail
- Using Google Drive / Dropbox without a BAA
- Unencrypted laptops or servers with PHI
- No breach notification process
What We Store and Where
| Data | Location | PHI? | Risk |
|---|---|---|---|
| Pipeline run metadata | SQLite runs table | Names only | Low |
| Step trace (AI input/output) | SQLite steps table | Biomarker values | Medium |
| Generated client PDF | /output/*.pdf | Yes — full report | High |
| Raw uploaded PDF | /tmp/ (transient) | Yes | Medium |
| GHL contact data | GoHighLevel servers | Yes | Handled by GHL |
| Prompts sent to Claude | Bedrock (transient, in-flight only) | Yes | Low |
Implementation Roadmap
Phase 1 — Now (no AWS admin needed)
- ☐ Tailscale — private network access, no open ports
- ☐ Next-Auth login — individual accounts per staff member
- ☐ Session timeout — auto-logout after 30 min idle
Phase 2 — Soon (one AWS admin ask)
- ☐ Open port 443 in AWS Security Group
- ☐ Cloudflare in front — free HTTPS, hides server IP
- ☐ Nginx reverse proxy
Phase 3 — Before scaling
- ☐ BAA with AWS — free, request at aws.amazon.com/compliance
- ☐ BAA with GoHighLevel — check enterprise plan
- ☐ EBS disk encryption — AWS admin task
- ☐ Automated backups to S3
Phase 4 — At scale
- ☐ MFA — one config line in Next-Auth when ready
- ☐ Secrets moved to AWS Secrets Manager
- ☐ Penetration test
- ☐ SOC 2 audit