HIPAA Compliance
US healthcare compliance — ready for when the platform expands to serve American clinics.
What Is HIPAA
HIPAA (Health Insurance Portability and Accountability Act) is a US law governing how Protected Health Information (PHI) must be handled. PHI is any information about a patient's health, treatment, or payment that can be linked back to them — names, appointment dates, treatment plans, exercise prescriptions, session notes.
Violations carry fines up to $1.9 million per incident and can include criminal penalties.
When Does HIPAA Apply to RestartiX
HIPAA is a US-only law. It does not apply to the Romania/EU launch.
It becomes relevant only when a US-based clinic uses the platform. At that point:
- The clinic is a "Covered Entity" under US law
- RestartiX becomes their "Business Associate" by handling their patients' PHI
- A Business Associate Agreement (BAA) must be signed before the clinic goes live
HIPAA does not apply when Romanian/EU clinics treat patients, even if some patients happen to be American.
What HIPAA Requires
From RestartiX (Business Associate)
| Requirement | What It Means |
|---|---|
| Business Associate Agreements | Signed contracts with every vendor that touches PHI: Clerk (auth), AWS (infrastructure), Daily.co (video) |
| Security Officer | A named person responsible for PHI security |
| Annual Security Risk Assessment | Formal risk analysis of all systems that touch PHI — identifies vulnerabilities and documents mitigation |
| Workforce training | Regular staff training on PHI handling, documented with completion records |
| Breach notification | Report breaches to affected clinics within 60 days |
From each US clinic (Covered Entity)
| Requirement | What It Means |
|---|---|
| Signed BAA with RestartiX | Required before using the platform for US patients |
| Privacy Officer | A named person responsible for the clinic's HIPAA privacy program |
| Staff PHI training | All clinic staff must be trained on HIPAA rules |
| Own compliance program | Independent HIPAA policies, risk assessments, and breach reporting |
How the Platform Already Supports HIPAA
The platform's architecture was designed with HIPAA readiness from the start, even though the initial launch is EU-only:
| HIPAA Requirement | How It's Already Met |
|---|---|
| Audit controls (164.312(b)) | Every data mutation is logged with who, what, when, where. Failed access attempts are logged. |
| Access controls (164.312(a)) | Role-based access control (RBAC). Each user sees only what their role permits within their clinic. |
| Encryption (164.312(a)(2)(iv)) | Data encrypted in transit (TLS) and at rest (AES-256). Sensitive fields have additional application-level encryption. |
| Integrity controls (164.312(c)) | Signed forms are immutable. Audit log is append-only. Database constraints enforce data integrity. |
| Transmission security (164.312(e)) | All external communication over TLS. No unencrypted channels. |
| Person/entity authentication (164.312(d)) | Clerk authentication with MFA support. Session management with secure tokens. |
| Emergency access (164.312(a)(2)(ii)) | Break-glass procedure for emergency PHI access — logged comprehensively and reviewed within 24 hours. |
| Automatic log-off (164.312(a)(2)(iii)) | Session timeout and automatic token expiry. |
Retention
HIPAA requires retaining audit documentation for a minimum of 6 years. The platform's audit trail is retained for 6 years across hot (database) and warm (cloud archive) storage tiers.
What's Still Needed for US Launch
When the first US clinic signs up, these additional steps are required:
- Sign BAAs with all sub-processors (Clerk, AWS, Daily.co)
- Designate a Security Officer
- Complete the first annual Security Risk Assessment
- Establish workforce HIPAA training program
- Offer BAA signing as part of US clinic onboarding
The technical infrastructure is already in place. The remaining items are procedural and legal.
For developers
Technical details — HIPAA audit requirements mapping, audit middleware, retention implementation, and break-glass logging — are available in the Audit Compliance reference.