Skip to main content

HIPAA Compliance

Safeguarding protected health information per the HIPAA Security Rule.

Last updated: January 1, 2026

DivineCare Service acts as a Business Associate to U.S. healthcare agencies (Covered Entities). We sign a Business Associate Agreement (BAA) before processing any PHI on a customer's behalf. This page summarises the safeguards in place — it does not replace the BAA.

1. Our role

Under HIPAA, the healthcare agency that contracts with us is the Covered Entity and the data controller for its patients' PHI. DivineCare Service is the Business Associate: we process PHI strictly to provide the contracted services and per the customer's documented instructions.

2. Business Associate Agreement

A BAA is required before any production PHI flows into the platform. Our standard BAA covers permitted uses, safeguards, breach notification, sub-contractor obligations, and return/destruction of PHI on termination. Reach out via our contact form to request our BAA template.

3. Safeguards — Security Rule mapping

The HIPAA Security Rule requires administrative, physical, and technical safeguards. We map our controls as follows:

3.1 Administrative

  • Designated security officer accountable for the security program.
  • Role-based workforce access; provisioning and de-provisioning tied to HR events.
  • Security awareness training for engineering and operations staff.
  • Incident response plan with defined escalation paths.
  • Sub-processor management: BAAs in place with every sub-processor that may touch PHI.

3.2 Physical

  • Hosting in tier-IV cloud data centres (Azure default) with industry-standard physical access controls.
  • No PHI is stored on employee endpoints in normal operations; production access is via brokered, audited sessions.

3.3 Technical

  • Access control — unique user IDs, RBAC, automatic logoff, multi-factor authentication.
  • Audit controls — immutable audit log of access, modification, exports, and authentication events.
  • Integrity — anti-forgery tokens, parameterised database queries, content-type checks on uploads.
  • Person/entity authentication — password policy, MFA, login-history visibility for users.
  • Transmission security — TLS 1.2+ for all data in transit; AES-256 at rest for stored documents.

4. Breach notification

In the event of a confirmed breach of unsecured PHI, we notify affected Covered Entities without unreasonable delay and in any case within the timeframe required by HIPAA / the BAA (no later than 60 days from discovery). Notifications include the nature of the breach, affected data categories, mitigation actions, and recommended steps.

5. Patient rights

Patient access, amendment, and accounting-of-disclosure requests are handled by the Covered Entity (the customer agency). We provide the tools required to fulfil these requests: patient-record export, audit log retrieval, and structured deletion / pseudonymisation workflows consistent with retention obligations.

6. Retention

Records are retained per the customer's agreement and any applicable jurisdictional rules (commonly minimum 7 years for adult health records; longer for paediatric). On termination, data is returned and/or securely deleted as defined in the BAA.

7. Related documents

Contact

HIPAA / BAA enquiries and security reports — please use our contact form and tag your message accordingly.