HIPAA Compliance
PatientTrac Surgery is designed to meet the HIPAA Security Rule (45 CFR Part 164, Subpart C) technical safeguard requirements for electronic protected health information (ePHI). This page summarizes the technical controls in place.
Technical Safeguards (§164.312)
| Requirement | Control | Status |
|---|---|---|
| Access Control (§164.312(a)(1)) | JWT-based authentication via cross-app token validation; role-based row-level security in Supabase | Implemented |
| Audit Controls (§164.312(b)) | AI action logging to cr.ai_audit_log; Supabase built-in audit trail for data access | Implemented |
| Integrity (§164.312(c)(1)) | PostgreSQL ACID transactions; no client-side data mutation without server validation | Implemented |
| Transmission Security (§164.312(e)(1)) | TLS 1.2+ enforced via HSTS header (max-age=31536000); all API calls over HTTPS | Implemented |
| Session Timeout | JWT tokens are short-lived; validated on every API call | Implemented |
AI Features and PHI
PatientTrac Surgery's AI-powered features are designed with PHI minimization:
- Patient names, dates of birth, MRNs, SSNs, addresses, and insurance IDs are stripped before any data is sent to AI processing endpoints.
- All AI calls are processed server-side through Netlify Functions — no PHI is sent directly from the browser to any AI provider.
- AI function invocations are logged in
cr.ai_audit_logwith encounter ID and function name only (no clinical content).
Business Associate Agreements
| Vendor | Service | BAA Status |
|---|---|---|
| Supabase | Database hosting (ePHI storage) | BAA Available |
| Netlify | Hosting and serverless functions | BAA Available |
| Anthropic | Claude AI API (clinical decision support) | BAA Required Before Use |
Your organization must execute a Business Associate Agreement with each vendor before deploying PatientTrac Surgery in a clinical environment. Contact each vendor's enterprise/compliance team to obtain BAA documentation.
Organizational Responsibilities
PatientTrac Surgery provides the technical platform. Your organization, as a Covered Entity, remains responsible for:
- Executing BAAs with all vendors listed above
- User access management and credential hygiene
- Workforce HIPAA training
- Incident response and breach notification procedures
- Physical safeguards for workstations accessing the system
Security Incident Reporting
To report a suspected security incident or potential PHI breach, contact your organization's Security Officer immediately and follow your facility's incident response policy.