HIPAA Compliance

Learn how Coachier maintains HIPAA compliance to protect your client's health information.

Last Updated: January 15, 2024

1. HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individuals' medical records and other protected health information (PHI). Coachier is committed to full HIPAA compliance for all healthcare professionals using our platform.

Certified Compliant: Coachier is fully HIPAA compliant and undergoes regular third-party audits.

2. Business Associate Agreement (BAA)

As a HIPAA-covered entity using Coachier, we act as your Business Associate. We provide a compliant Business Associate Agreement (BAA) that outlines our responsibilities and yours.

2.1 Our BAA Includes:

  • Definitions of PHI and ePHI (electronic Protected Health Information)
  • Permitted and required uses and disclosures of PHI
  • Obligations of Coachier as a Business Associate
  • Security safeguards and breach notification procedures
  • Subcontractor requirements
  • Term and termination provisions

2.2 Obtaining a BAA

All Professional, Advanced, and Custom plan subscribers automatically receive a signed BAA. To request your BAA:

  • Email: hipaa@coachier.com
  • Or download from your Account Settings → Legal Documents

3. HIPAA Security Rule Compliance

We implement comprehensive safeguards required by the HIPAA Security Rule:

3.1 Administrative Safeguards

  • Security Management Process: Risk assessments, risk management, and security incident procedures
  • Security Personnel: Designated security official and dedicated security team
  • Workforce Training: Regular HIPAA compliance training for all employees
  • Access Authorization: Role-based access controls and authorization procedures
  • Access Establishment: Documented procedures for granting access
  • Security Awareness: Ongoing security updates and reminders
  • Contingency Planning: Data backup, disaster recovery, and emergency access procedures
  • Business Associate Contracts: Compliant agreements with all subcontractors

3.2 Physical Safeguards

  • Facility Access Controls: Secure data centers with biometric access
  • Workstation Security: Secure workstation policies and procedures
  • Device Controls: Hardware and electronic media controls
  • Secure Disposal: Certified destruction of media containing ePHI

3.3 Technical Safeguards

  • Access Controls: Unique user IDs, automatic logoff, and encryption
  • Audit Controls: Comprehensive logging of all ePHI access
  • Integrity Controls: Mechanisms to ensure ePHI is not altered or destroyed
  • Transmission Security: TLS 1.3 encryption for all data in transit
  • Authentication: Multi-factor authentication available for all users

4. Data Encryption

4.1 Encryption at Rest

All ePHI stored on Coachier servers is encrypted using 256-bit AES encryption, the same standard used by banks and government agencies.

4.2 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), ensuring protection from interception.

4.3 Database Encryption

  • Field-level encryption for sensitive PHI elements
  • Encrypted database backups
  • Secure key management with rotation policies

5. Access Controls

5.1 User Authentication

  • Strong password requirements (minimum 12 characters)
  • Two-factor authentication (2FA) available for all accounts
  • Biometric authentication support (fingerprint, Face ID)
  • Automatic session timeout after 15 minutes of inactivity
  • Failed login attempt monitoring and account lockout

5.2 Role-Based Access

  • Granular permission levels (Admin, Practitioner, Staff, Client)
  • Minimum necessary access principle
  • Audit trails for all permission changes
  • Ability to revoke access immediately

5.3 Device Management

  • Remote device wipe capability
  • Device registration and monitoring
  • Ability to limit access by device type or location

6. Audit Logs and Monitoring

6.1 Comprehensive Logging

We maintain detailed audit logs of all system activities:

  • User login and logout events
  • PHI access and modifications
  • Administrative changes
  • Failed access attempts
  • System configuration changes
  • Data exports and downloads

6.2 Log Retention

Audit logs are retained for a minimum of 6 years as required by HIPAA. Logs are encrypted, tamper-proof, and regularly reviewed.

6.3 Access Log Reports

Account administrators can generate audit reports showing:

  • Who accessed specific client records
  • When and from where access occurred
  • What actions were performed
  • Any modifications made to PHI

7. Breach Notification

7.1 Breach Detection

We employ advanced security monitoring tools to detect potential breaches:

  • 24/7 security monitoring and intrusion detection
  • Automated threat detection systems
  • Regular vulnerability scanning
  • Incident response team on standby

7.2 Notification Procedures

In the event of a breach of unsecured PHI, we will:

  • Within 24 hours: Begin investigation and contain the breach
  • Within 60 days: Notify affected covered entities as required by HIPAA
  • Documentation: Maintain records of all breach incidents
  • Remediation: Take corrective action to prevent future breaches

7.3 Your Responsibilities

As a covered entity, you are responsible for:

  • Notifying affected individuals within 60 days
  • Notifying HHS (if affecting 500+ individuals)
  • Providing required breach information to media (if applicable)

8. Data Backup and Disaster Recovery

8.1 Backup Procedures

  • Frequency: Automated daily backups
  • Redundancy: Multiple geographically distributed backup locations
  • Encryption: All backups are encrypted
  • Testing: Regular backup restoration testing
  • Retention: 90-day backup retention period

8.2 Disaster Recovery

  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 1 hour
  • Failover: Automatic failover to backup systems
  • Testing: Quarterly disaster recovery drills

8.3 Business Continuity

Our business continuity plan ensures service availability during:

  • Hardware failures
  • Natural disasters
  • Cyberattacks
  • Power outages
  • Other service disruptions

9. Training and Certification

9.1 Employee Training

  • Mandatory HIPAA training for all new employees
  • Annual refresher training for all staff
  • Specialized training for roles with PHI access
  • Training documentation and completion tracking

9.2 Third-Party Certifications

  • SOC 2 Type II: Annual audit for security, availability, and confidentiality
  • HITRUST CSF: Healthcare-specific security framework
  • ISO 27001: Information security management certification
  • PCI DSS: Payment card industry compliance (for billing)

10. Infrastructure and Hosting

10.1 Cloud Infrastructure

Coachier uses HIPAA-compliant cloud infrastructure provided by:

  • Amazon Web Services (AWS): With signed BAA
  • US Data Centers: All PHI stored within the United States
  • Redundancy: Multi-region architecture for high availability

10.2 Network Security

  • Firewalls and intrusion prevention systems
  • DDoS protection
  • Network segmentation and isolation
  • Regular penetration testing

11. Subcontractors and Vendors

We carefully vet all subcontractors who may have access to PHI:

  • All subcontractors sign Business Associate Agreements
  • Regular security assessments of subcontractors
  • Contractual obligations for HIPAA compliance
  • Limited access based on need-to-know principle

11.1 Current Subcontractors

  • Amazon Web Services (Cloud Hosting)
  • Stripe (Payment Processing - PCI DSS compliant)
  • SendGrid (Transactional Email)
  • All with signed BAAs on file

12. Your HIPAA Responsibilities

As a HIPAA covered entity, you are responsible for:

12.1 Privacy Rule Compliance

  • Obtaining client authorization before using Coachier
  • Providing Notice of Privacy Practices to clients
  • Ensuring minimum necessary use and disclosure
  • Maintaining privacy policies and procedures

12.2 Security Practices

  • Using strong, unique passwords
  • Enabling two-factor authentication
  • Logging out when away from device
  • Not sharing account credentials
  • Securing physical devices
  • Reporting suspected security incidents

12.3 Training Your Staff

  • Training staff on HIPAA requirements
  • Establishing access policies
  • Monitoring staff compliance
  • Documenting training activities

13. HIPAA Risk Assessment

We conduct regular HIPAA Security Rule risk assessments:

  • Frequency: Annual comprehensive assessments
  • Scope: All systems, processes, and controls
  • Methodology: NIST Cybersecurity Framework
  • Remediation: Documented action plans for identified risks
  • Third-Party: Independent security audits quarterly

14. Contact Our HIPAA Team

For HIPAA-related questions or to request a BAA:

  • Email: hipaa@coachier.com
  • Phone: +1 (888) 555-CARE
  • Security Incidents: security@coachier.com (24/7 monitored)
Security First: We take HIPAA compliance seriously. Our dedicated compliance team is available to answer your questions and ensure your practice meets all requirements.