Compliance
HIPAA Technical Safeguard Alignment
Version 1.2 · Effective: 2026-06-13 · Last updated: 2026-06-13
AuthDeep provides controls relevant to the HIPAA Security Rule, but operators must complete their own risk analysis and execute required BAAs before managed PHI processing.
1. Status and responsibility
This page describes technical alignment and is not legal advice or a certification. Healthcare operators remain responsible for HIPAA risk analysis, policies, workforce controls, infrastructure, notices, and agreements with service providers.
2. Access and authentication controls
Role-based access, unique user identities, multi-factor authentication, passkeys, configurable session lifetimes, administrator emergency access with audit history, single-use recovery codes, and defensive credential handling support 45 CFR §164.312(a) and (d).
3. Audit and integrity controls
Authentication and administrator actions are recorded with actor, time, request, and tenant context. Exports support SIEM and evidence workflows. Secure sessions, request-protection controls, signed integration mechanisms, and safe database access reduce unauthorized alteration risk.
4. Transmission security
TLS is required on every public, loopback, and internal-network connection. Session cookies are Secure and HttpOnly. Operators must keep PHI out of URLs, query strings, and inappropriate logs and must protect backups and exported evidence.
5. Self-hosted data sovereignty
In a customer-operated self-hosted deployment, PHI remains in infrastructure controlled by the customer and is not sent to AuthDeep. The operator remains responsible for its hosting providers and their BAAs.
6. BAA and managed processing
Enterprise customers must request and execute a Business Associate Agreement before any managed AuthDeep engagement processes PHI. No support ticket should contain PHI unless an applicable agreement and approved secure process are in place.
7. Incident and breach procedure
For managed processing, AuthDeep will restrict access, preserve evidence, investigate, and notify the affected customer without unreasonable delay as required by the applicable BAA. Self-hosted operators remain responsible for their own breach assessment and notices.