Back to Docs/Compliance and Security

Compliance and Security

HIPAA Enhanced Setup

The HIPAA Enhanced add-on ($300/month) builds on HIPAA Basic with additional capabilities for organizations with higher PHI exposure or stricter compliance requirements. It adds PHI auto-detection, precision redaction, 7-year audit log retention, automated breach detection, staff training tracking, and end-to-end encrypted secure messaging with automatic message expiry.

What you'll learn

  • How HIPAA Enhanced extends HIPAA Basic
  • What PHI auto-detection covers and how redaction works
  • What the 7-year audit retention covers
  • How breach detection alerts are triggered
  • How staff training tracking works
  • How end-to-end encrypted secure messaging works

What HIPAA Enhanced adds to HIPAA Basic

  • PHI auto-detection:Uploaded documents and case content are automatically scanned for over 18 identifier types, including SSNs, medical record numbers (MRN), Medicare and Medicaid IDs, insurance policy numbers, NPIs, DEA numbers, passport and driver's license numbers, credit card numbers (with Luhn validation), bank account and routing numbers, phone numbers, email addresses, street addresses, dates of birth (with context-aware detection), IP addresses, and VINs. Person names are detected via NLP when the spaCy model is available. Detected items are flagged for review — admins can confirm or mark them as false positives.
  • Precision redaction: When PHI must be shared in a redacted form, redaction tools replace identified PHI fields with typed placeholders (for example, XXX-XX-1234 for SSNs, [MRN REDACTED] for medical record numbers). Redacted documents can be downloaded directly from the compliance dashboard.
  • 7-year audit log retention: Audit records are retained for 7 years under HIPAA Enhanced — one year longer than HIPAA Basic — matching the retention period cited in HIPAA guidance.
  • Breach detection alerts: The platform monitors for patterns that may indicate unauthorized access to PHI, including excessive failed login attempts, unusual PHI access velocity, after-hours access patterns, and mass data exports. Detected events create security incidents visible in the compliance dashboard. Incidents are categorized by severity (critical, high, medium, low) and tracked through open, investigating, contained, resolved, and closed states.
  • Staff training tracking: Admins can assign HIPAA training to individual users and track completion, quiz scores, and renewal due dates. Training compliance rates are surfaced in the compliance dashboard and contribute to your compliance score.
  • Encrypted secure messaging: Secure messaging allows PHI to be exchanged between case participants over an encrypted channel. Messages are encrypted server-side using AES-256 before storage — plaintext is never persisted. Messages auto-expire after 90 days by default. Secure messaging requires an active BAA; the platform returns HTTP 403 if no active BAA is in force. It is restricted to arbitration cases. Each message send and read is audit-logged per HIPAA §164.312(b).

All HIPAA Basic features are included

HIPAA Enhanced includes everything in HIPAA Basic: BAA management, AES-256 PHI encryption via AWS KMS, compliance dashboard, risk assessments, and the base 6-year audit retention (extended to 7 years by Enhanced). You do not need to purchase HIPAA Basic separately if you subscribe to HIPAA Enhanced.

Enabling HIPAA Enhanced

HIPAA Enhanced is available as an add-on on all plan tiers. To enable it, go to Settings → Features & Add-Ons and add HIPAA Enhanced to your subscription. If you already have HIPAA Basic active, you can upgrade directly in the same screen — no support contact is required.

Related articles

Can't find what you're looking for? Contact Support

Having trouble with this feature?

Visit the Support Center for troubleshooting guides and how-to articles.

Go to Support Center →