Back to Docs/Compliance and Security

Compliance and Security

HIPAA Basic Setup

The HIPAA Basic add-on ($200/month) enables a set of features designed to support HIPAA-compliant operation for organizations handling protected health information (PHI) in mediation or arbitration cases. It includes Business Associate Agreement tracking, AES-256 field-level encryption for PHI, extended audit log retention, a compliance score dashboard, and risk assessment tools.

What you'll learn

  • What features HIPAA Basic enables
  • How PHI encryption works at the field level
  • What audit retention period applies with HIPAA Basic
  • How to access the compliance dashboard and score

What HIPAA Basic includes

  • BAA management: Track vendor Business Associate Agreements, including effective dates, expiration dates, coverage status, and renewal reminders, from the compliance dashboard. Sign the platform BAA directly from Settings → HIPAA Compliance.
  • AES-256 PHI encryption: PHI fields are encrypted at the field level using AES-256-GCM. New writes use AES-256-GCM; legacy data encrypted with Fernet (AES-128-CBC) is decryptable transparently and re-encrypted on write. Encryption keys are managed by AWS KMS with per-tenant key contexts. Key rotation is supported via the FIELD_ENCRYPTION_KEY_OLD environment variable, which allows seamless decryption of data written under the previous key.
  • 6-year audit log retention: All platform actions are logged, and audit records are retained for 6 years under HIPAA Basic (versus 3 years on any plan without a HIPAA add-on).
  • Compliance dashboard: A dedicated view showing your compliance posture: BAA status, training completion, risk assessment status, and your overall compliance score (0–100). The score is cached and recalculated automatically when it becomes stale (after 24 hours) or on demand.
  • Risk assessments: Risk assessment workflows are available in the compliance dashboard. Assessments are categorized by risk level (low, medium, high, critical) and count toward your compliance score. An assessment is considered current if it was completed within the past 12 months.

Enabling HIPAA Basic

HIPAA Basic is available as an add-on on all plan tiers (Starter, Professional, and Enterprise). To enable it, go to Settings → Features & Add-Ons and add HIPAA Basic to your subscription. Once active, a HIPAA Compliance entry appears under Premium Features in the Settings menu.

Difference from HIPAA Enhanced

HIPAA Enhanced ($300/month) extends HIPAA Basic with PHI auto-detection across 18+ identifier types, precise redaction tooling, 7-year audit retention, automated breach detection, staff training tracking, and end-to-end encrypted secure messaging. Organizations with higher PHI exposure or stricter compliance requirements should consider HIPAA Enhanced. See HIPAA Enhanced Setup for details.

Related articles

Can't find what you're looking for? Contact Support

Having trouble with this feature?

Visit the Support Center for troubleshooting guides and how-to articles.

Go to Support Center →