HIPAA Compliance
HIPAA is not
a checklist.
It is a commitment.
The Health Insurance Portability and Accountability Act sets the federal standard for protecting sensitive patient health information in the United States. CRUXIO™ and the HIP™ Platform are designed from the ground up to meet — and exceed — every obligation HIPAA places on healthcare technology providers. Not as compliance theatre. As operational architecture.
✓
BAA
Ready
Ready
AES
256
256
Encryption
at rest & transit
at rest & transit
72h
Breach
notification
notification
6yr
PHI
retention
retention
MFA
All access
enforced
enforced
SOC 2
Type II
Certified
Certified
HIPAA Privacy Rule
HIPAA Security Rule
Breach Notification Rule
HITECH Act
Omnibus Rule 2013
45 CFR Parts 160 & 164
The regulatory framework
Understanding HIPAA — the law that governs healthcare data in the US
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act (2009) and the Omnibus Rule (2013), establishes the national framework for protecting individually identifiable health information — known as Protected Health Information (PHI) — in the United States.
HIPAA applies to Covered Entities (healthcare providers, health plans, and healthcare clearinghouses) and their Business Associates (organizations that create, receive, maintain, or transmit PHI on their behalf). CRUXIO™ operates as a Business Associate for all US healthcare clients.
The law is enforced by the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS). Non-compliance can result in civil and criminal penalties ranging from $100 to $1.9 million per violation category, per year.
The core principle
HIPAA establishes that individuals have a fundamental right to privacy with respect to their health information. All permissible uses and disclosures of PHI must serve a legitimate healthcare purpose, and only the minimum necessary information should be used or disclosed for any given purpose.
HIPAA 1996 · Public Law 104-191
Health Insurance Portability and Accountability Act
Established national standards for electronic healthcare transactions and code sets, unique health identifiers, and the security and privacy of health data. Codified at 45 CFR Parts 160, 162, and 164.
HITECH 2009 · Title XIII ARRA
Health Information Technology for Economic and Clinical Health Act
Strengthened HIPAA enforcement, extended obligations directly to Business Associates, introduced the Breach Notification Rule, and established tiered civil monetary penalties scaled to culpability.
Omnibus Rule 2013 · 78 FR 5566
HIPAA Omnibus Final Rule
Implemented remaining HITECH provisions, expanded patient rights, tightened Business Associate obligations, modified Breach Notification standards, and enhanced penalties for willful neglect violations.
Protected Health Information
What qualifies as PHI — and what does not
PHI is the foundation of HIPAA. Understanding what constitutes PHI determines the scope of HIPAA obligations for any healthcare technology provider.
Protected Health Information — the 18 identifiers
Health information is PHI when it can be linked to an individual through any of the 18 identifiers defined under the HIPAA Safe Harbor method (45 CFR §164.514(b)):
Names
Geographic data smaller than a state
Dates (other than year) related to an individual
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate / license numbers
Vehicle identifiers & serial numbers
Device identifiers & serial numbers
Web URLs
IP addresses
Biometric identifiers (fingerprints, voiceprints)
Full-face photographs & images
Any other unique identifying number or code
De-identified data — not PHI
Data from which all 18 identifiers have been removed using a HIPAA-compliant method is no longer PHI and is not subject to HIPAA's Privacy and Security Rules.
Safe Harbor method: All 18 identifiers removed and no actual knowledge of re-identification risk (45 CFR §164.514(b)(2))
Expert Determination method: A qualified statistician certifies that the risk of re-identification is very small (45 CFR §164.514(b)(1))
Aggregated data: Statistical health data with no individual identifiers — e.g., "ICU occupancy rate was 87% in Q1" — is not PHI
Employment records: Health information held in employee records by an employer in its capacity as employer is not covered PHI
CRUXIO™ de-identification approach
Where intelligence functions can operate effectively on de-identified data, we apply Safe Harbor or Expert Determination methods before model training, cross-institutional benchmarking, or aggregate analytics. Our de-identification methodology documentation is available to Clients on request.
The three rules
HIPAA's three pillars — and how HIP™ meets every one
HIPAA's requirements are organized into three interdependent rules. Each imposes specific obligations on Covered Entities and their Business Associates. CRUXIO™ is designed to satisfy all three.
Rule 01
The Privacy Rule
45 CFR Part 164, Subpart E
Establishes national standards for protecting individuals' medical records and other PHI. Sets conditions for use and disclosure, grants patients rights over their health information, and requires healthcare organizations to implement safeguards and policies protecting that information.
Only use or disclose PHI for Treatment, Payment, or Operations (TPO) — or with valid patient authorization
Apply minimum necessary standard to all PHI access and disclosure
Provide patients access to their health information upon request
Implement Notice of Privacy Practices (NPP) and administrative safeguards
Designate a Privacy Officer responsible for policy development and compliance
Establish workforce training and sanctions policies for HIPAA violations
Rule 02
The Security Rule
45 CFR Part 164, Subpart C
Establishes standards for securing electronic PHI (ePHI). Requires Covered Entities and Business Associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI throughout its lifecycle.
Administrative safeguards: risk analysis, workforce training, access management, contingency planning
Physical safeguards: facility access controls, workstation use, device and media controls
Technical safeguards: access controls, audit controls, integrity controls, transmission security
Conduct and document risk analysis and risk management programs at appropriate intervals
Implement encryption for ePHI at rest and in transit (addressable standard — strongly recommended)
Maintain audit logs for all activity on systems containing ePHI
Rule 03
The Breach Notification Rule
45 CFR Part 164, Subpart D
Requires Covered Entities and Business Associates to provide notification following a breach of unsecured PHI. Establishes timelines, content requirements, and methods for notifying affected individuals, the Secretary of HHS, and (in large breaches) prominent media outlets.
Business Associates must notify Covered Entities of discovered breaches "without unreasonable delay" and within 60 days
Covered Entities must notify affected individuals within 60 days of discovery
Breaches affecting 500+ individuals in a state require immediate media notification
All breaches must be reported to HHS OCR (large breaches immediately; small breaches annually)
Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction
A risk assessment determines whether a breach is presumed to require notification unless low probability of compromise can be demonstrated
Business Associate Agreement
The BAA — the contract at the heart of HIPAA compliance
A Business Associate Agreement (BAA) is the legally required contract that governs how CRUXIO™ protects your patients' health information. Every US healthcare client receives a BAA before any PHI is accessed.
What the BAA covers
Required elements under 45 CFR §164.504(e)
1
Permitted uses and disclosures of PHI
Specifies the exact purposes for which CRUXIO™ may use or disclose PHI — limited strictly to the contracted Platform services and required HIPAA purposes.
2
Safeguard obligations
Requires CRUXIO™ to implement appropriate administrative, physical, and technical safeguards for all PHI consistent with the HIPAA Security Rule.
3
Reporting obligations
Obligates CRUXIO™ to report breaches of unsecured PHI and security incidents to the Covered Entity without unreasonable delay.
4
Sub-contractor obligations
Requires that any sub-contractors (sub-processors) accessing PHI execute equivalent BAAs and maintain equivalent safeguards.
5
Individual rights support
Requires CRUXIO™ to support the Covered Entity in satisfying patients' HIPAA rights, including access requests and amendments to PHI.
6
PHI return or destruction at termination
Obligates CRUXIO™ to return or securely destroy all PHI upon contract termination, with written certification of destruction using NIST SP 800-88 standards.
How the BAA process works
01
Client requests BAA
US healthcare clients complete the BAA request form or contact us directly. We send our standard BAA within 2 business days for review.
Required before PHI access
02
Legal review & negotiation
Clients may review with legal counsel. CRUXIO™ accommodates reasonable modifications while maintaining full HIPAA compliance.
Typical: 5–10 business days
03
Execution & countersignature
BAA executed via electronic signature. Signed copies retained by both parties. BAA enters force on the execution date.
BAA in force
04
Platform access provisioned
Only after BAA execution is the Client's PHI environment provisioned. Integration credentials and access tokens are issued to authorized personnel only.
PHI access enabled
Request your BAA
HIPAA-compliant deployment begins here. All US healthcare clients receive a BAA prior to any PHI access — no exceptions.
1
Contact us at info@cruxio.co with subject line "BAA Request" and your organization name
2
We send our standard BAA template within 2 business days for your legal team's review
3
Legal review, negotiation if needed, and mutual execution via secure e-signature
4
HIPAA-compliant PHI environment provisioned — same day as execution
Request BAA →
Speak with our compliance team
BAA provided at no additional cost · Standard form available immediately
Security safeguards
The three categories of HIPAA safeguards — implemented
The HIPAA Security Rule requires implementation of safeguards across three domains. CRUXIO™'s security architecture addresses every required and addressable standard across all three.
Technical
Administrative
Physical
Encryption at rest & transit
AES-256 encryption for all stored ePHI. TLS 1.3 for all data transmission. No ePHI is stored or transmitted in unencrypted form under any circumstances.
§164.312(a)(2)(iv) · §164.312(e)(2)(ii)
Unique user identification
Every user is assigned a unique identifier. Shared credentials and generic logins are prohibited. Access is tied to individual accountability at all times.
§164.312(a)(2)(i) — Required
Automatic logoff
Electronic sessions terminate automatically after a period of inactivity, preventing unauthorized access to unattended workstations containing ePHI.
§164.312(a)(2)(iii) — Addressable
Audit controls & logs
Immutable audit logs capture all access events, modifications, and disclosures of ePHI. Logs are tamper-evident with cryptographic integrity verification and retained for 6 years.
§164.312(b) — Required
Integrity controls
Mechanisms prevent unauthorized alteration or destruction of ePHI. All data modifications are version-tracked and attributable to a specific authenticated user.
§164.312(c)(1) — Required
Authentication
Multi-factor authentication enforced for all platform access. Role-based access control limits data access to the minimum necessary for each user's function.
§164.312(d) — Required
Risk analysis & management
Documented risk analysis conducted at implementation and at appropriate intervals. Risk management program addresses identified vulnerabilities with defined remediation timelines and accountability.
§164.308(a)(1) — Required
Privacy & Security Officers
Designated Privacy Officer and HIPAA Security Officer responsible for development, implementation, and maintenance of all HIPAA compliance policies and procedures.
§164.308(a)(2) — Required
Workforce training
Annual HIPAA training mandatory for all workforce members with PHI access. Training records maintained for 6 years. Workforce sanction policy for policy violations.
§164.308(a)(5) — Required
Security incident procedures
Documented incident response procedures covering identification, containment, eradication, recovery, and post-incident review. Tested annually via tabletop and simulated exercises.
§164.308(a)(6) — Required
Contingency planning
Data backup plan, disaster recovery plan, and emergency mode operation procedures documented and tested. Business continuity maintained for all systems containing ePHI.
§164.308(a)(7) — Required
Business associate oversight
Written contracts (BAAs) with all sub-processors accessing ePHI. Vendor risk assessments conducted before onboarding and on an annual basis thereafter.
§164.308(b)(1) — Required
Facility access controls
Policies and procedures limiting physical access to electronic information systems housing ePHI to authorized personnel only. Data centers comply with SOC 2 Type II physical access standards.
§164.310(a)(1) — Required
Workstation use policies
Documented policies governing the functions performed on workstations accessing ePHI, physical surroundings, and restrictions on workstation use to minimize security risks.
§164.310(b) — Required
Device & media controls
Policies for receipt, removal, backup, and disposal of hardware and electronic media containing ePHI. Secure media sanitization per NIST SP 800-88 before reuse or disposal.
§164.310(d)(1) — Required
Workstation security
Physical safeguards for all workstations accessing ePHI — including screen locks, cable locks, and placement policies to prevent unauthorized viewing by third parties.
§164.310(c) — Required
CRUXIO™ security posture
AES-256
Encryption standard
TLS 1.3
Transit protocol
6yr
Log retention
24/7
SOC monitoring
100%
MFA enforcement
Annual
Pen testing
SOC 2 Type II certified
BAA executed before PHI access
Per-tenant encryption key management
Immutable tamper-evident audit logs
NIST SP 800-88 media sanitization
Risk analysis at every deployment
Annual third-party pen testing
Workforce HIPAA training documented
Patient rights
HIPAA gives patients powerful rights over their own health data
HIPAA's Privacy Rule grants individuals a robust set of rights with respect to their protected health information. As a Business Associate, CRUXIO™ supports Covered Entities in fulfilling these obligations.
Right of Access
45 CFR §164.524
Patients have the right to inspect and obtain copies of their PHI held in a designated record set. Covered Entities must provide access within 30 days (extendable to 60 days). As of 2021, fees are tightly restricted under the HHS Access Rule update.
Right to Request Amendment
45 CFR §164.526
Patients may request amendments to PHI they believe is inaccurate or incomplete. The Covered Entity must act on the request within 60 days. Denials must be in writing with the basis for denial and the patient's right to submit a statement of disagreement.
Right to an Accounting of Disclosures
45 CFR §164.528
Patients have the right to receive a list of disclosures of their PHI made in the 6 years prior to the request, for purposes other than treatment, payment, or healthcare operations. Business Associates must maintain records to support this obligation.
Right to Request Restrictions
45 CFR §164.522(a)
Patients may request restrictions on uses or disclosures of their PHI for treatment, payment, or operations. Covered Entities must comply with requests to restrict disclosures to health plans when the patient has paid out-of-pocket in full for the service.
Right to Confidential Communications
45 CFR §164.522(b)
Patients may request that their PHI be communicated through alternative means or to alternative locations — for example, requesting that appointment reminders be sent to a specific phone number or mailing address for privacy reasons.
Right to Notice of Privacy Practices
45 CFR §164.520
Patients have the right to receive a clear, written Notice of Privacy Practices (NPP) that explains how their PHI may be used and disclosed, their rights, and the Covered Entity's legal duties. The NPP must be provided at first service delivery.
How CRUXIO™ supports patient rights
As a Business Associate, CRUXIO™ does not interact directly with patients on behalf of their rights. All patient rights requests are handled by the Covered Entity (your hospital or health system). However, the HIP™ Platform is architected to ensure that Covered Entities can readily access, export, or flag PHI in response to patient access or accounting-of-disclosures requests. CRUXIO™ maintains records sufficient to support all required patient rights obligations under 45 CFR Part 164.
Breach notification
Breach response — timelines, obligations, and our commitment
The Breach Notification Rule requires a structured, time-bound response when unsecured PHI is compromised. CRUXIO™'s incident response program is built to meet every deadline — and go further.
Notification timelines
ASAP
Discovery
Breach discovered by CRUXIO™
CRUXIO™'s security team identifies and confirms a potential breach of unsecured PHI. Immediate containment actions begin. Incident response team activated.
≤60
Days
CRUXIO™ notifies Covered Entity
As Business Associate, CRUXIO™ notifies the affected Covered Entity "without unreasonable delay" — our internal target is 72 hours for confirmed breaches. Maximum statutory deadline: 60 days from discovery. (45 CFR §164.410)
≤60
Days
Covered Entity notifies affected individuals
The Covered Entity must notify all affected individuals within 60 days of the Covered Entity's discovery of the breach (not CRUXIO™'s discovery). Notice must be in plain language and include specified elements under §164.404(c).
Immed.
500+
Media notification (if 500+ in same state)
For breaches affecting 500 or more individuals in a single state or jurisdiction, the Covered Entity must provide notice to prominent media outlets in addition to individual notification. (45 CFR §164.406)
Annual
Small
HHS OCR notification
Breaches of 500+ individuals require immediate HHS notification. Breaches affecting fewer than 500 individuals are reported to HHS OCR annually, by 60 days after the end of the calendar year in which breaches occurred. (45 CFR §164.408)
Breach categories & risk assessment
Impermissible use or disclosure
Unauthorized access to, use of, or disclosure of PHI — the most common breach category. Presumed to require notification unless a four-factor risk assessment demonstrates low probability of compromise.
Security incident resulting in PHI exposure
Ransomware, hacking, or other cyberattacks that access systems containing ePHI. OCR treats most ransomware attacks as presumed breaches requiring notification.
Four-factor risk assessment
To rebut the presumption of breach, the Covered Entity (supported by CRUXIO™) must assess: (1) nature and extent of PHI involved; (2) who accessed or may have accessed PHI; (3) whether PHI was actually acquired; (4) mitigation measures taken. Low probability across all four factors = not a reportable breach.
CRUXIO™ breach response commitment
Our internal target is to notify affected Covered Entities within 72 hours of confirming a breach — well within the statutory 60-day maximum. We provide a complete incident report including the nature of the breach, PHI involved, individuals potentially affected, and remediation steps taken. We cooperate fully with all regulatory investigations and notifications.
Permitted uses of PHI
When HIPAA permits use or disclosure of PHI — without authorization
HIPAA's Privacy Rule defines specific circumstances under which PHI may be used or disclosed without an individual's written authorization. CRUXIO™ processes PHI only within these permissible boundaries.
Treatment, Payment & Operations (TPO)
The broadest permissible category. PHI may be used and disclosed for treatment activities (clinical care coordination), payment activities (billing, claims, reimbursement), and healthcare operations (quality improvement, clinical analytics, compliance, training). The HIP™ Platform operates within this category for enterprise Clients.
Required by law
PHI may be disclosed when required by federal, state, or local law — including mandatory reporting obligations (communicable diseases, child abuse, elder abuse), court orders, administrative subpoenas, and law enforcement requests meeting specific legal standards under 45 CFR §164.512.
Public health activities
Disclosure to public health authorities for disease surveillance, investigation and control, vital statistics reporting, and FDA-regulated product safety monitoring. The FRAUDIQ™ product supports public health scheme integrity monitoring within this permitted purpose framework.
Research (with appropriate safeguards)
PHI may be used for research with a valid waiver of authorization from an IRB or Privacy Board, with representations from a researcher meeting specific criteria, or using properly de-identified or limited data sets under a Data Use Agreement. CRUXIO™ supports research deployments under appropriate governance frameworks.
Avert serious threat to health or safety
PHI may be disclosed to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, provided the disclosure is to someone reasonably able to prevent or lessen the threat, consistent with applicable law and professional ethics standards.
Health oversight activities
Disclosure to oversight agencies (CMS, OCR, OIG, state health departments) for audits, investigations, inspections, licensure, and government benefit programs. FRAUDIQ™'s government health scheme integrity monitoring functions within this permitted use category.
Enforcement & penalties
OCR enforcement — the cost of non-compliance
The Office for Civil Rights enforces HIPAA with a tiered civil monetary penalty structure based on the level of culpability. Criminal penalties also apply for knowing violations. CRUXIO™'s compliance architecture is designed to eliminate the conditions that lead to penalties.
Tier 1
Did not know
$100–$50,000
per violation
Max $25,000 / year / violation category
Tier 2
Reasonable cause
$1K–$50,000
per violation
Max $100,000 / year / violation category
Tier 3
Willful neglect
(corrected)
(corrected)
$10K–$50,000
per violation
Max $250,000 / year / violation category
Tier 4
Willful neglect
(uncorrected)
(uncorrected)
$50K+
per violation
Max $1.9M / year / violation category
Criminal penalties
Knowing violations of HIPAA carry criminal penalties under 42 U.S.C. §1320d-6: up to 1 year imprisonment for unauthorized access to PHI; up to 5 years for violations under false pretenses; up to 10 years for violations with intent to sell or use PHI for commercial advantage or malicious harm. Criminal prosecution is conducted by the Department of Justice (DOJ).
Our commitment
HIPAA compliance is
built in — not bolted on.
built in — not bolted on.
CRUXIO™ doesn't treat HIPAA as a compliance box to tick before a sale. Every architecture decision, every integration pattern, every AI governance gate in the HIP™ Platform has been designed with HIPAA obligations as a foundational constraint — not a constraint applied after the fact.
BAA before PHI access — always
No US healthcare client accesses PHI-containing environments before a valid BAA is fully executed. This is non-negotiable and automated into our provisioning workflow.
End-to-end encryption, no exceptions
AES-256 at rest, TLS 1.3 in transit. No PHI touches unencrypted infrastructure at any point in the data lifecycle — from ingestion through processing to storage and transmission.
Six-year immutable audit trails
Every access event, every data modification, every disclosure is logged immutably. HIPAA requires 6-year record retention — we retain logs with cryptographic integrity verification for the full period.
Annual workforce HIPAA training
Every team member with PHI access completes annual HIPAA training. Training completion is tracked, documented, and available for regulatory review. Sanction policies are enforced for violations.
Annual risk analysis — documented
We conduct and document comprehensive risk analyses at every new deployment and at least annually thereafter. Risk management plans address identified vulnerabilities with defined timelines and accountability.
HIPAA-aligned by architecture
The HIP™ Platform meets every HIPAA Privacy Rule, Security Rule, and Breach Notification Rule obligation applicable to a Business Associate. For a full compliance documentation package, contact info@cruxio.co.
HIPAA Privacy Rule
HIPAA Security Rule
Breach Notification
HITECH Act
SOC 2 Type II
AES-256
TLS 1.3
NIST SP 800-88
45 CFR 164