PatientTrac Surgery HIPAA Compliance

HIPAA Compliance

Last updated: June 2026

PatientTrac Surgery is designed to meet the HIPAA Security Rule (45 CFR Part 164, Subpart C) technical safeguard requirements for electronic protected health information (ePHI). This page summarizes the technical controls in place.

Technical Safeguards (§164.312)

RequirementControlStatus
Access Control (§164.312(a)(1))JWT-based authentication via cross-app token validation; role-based row-level security in SupabaseImplemented
Audit Controls (§164.312(b))AI action logging to cr.ai_audit_log; Supabase built-in audit trail for data accessImplemented
Integrity (§164.312(c)(1))PostgreSQL ACID transactions; no client-side data mutation without server validationImplemented
Transmission Security (§164.312(e)(1))TLS 1.2+ enforced via HSTS header (max-age=31536000); all API calls over HTTPSImplemented
Session TimeoutJWT tokens are short-lived; validated on every API callImplemented

AI Features and PHI

PatientTrac Surgery's AI-powered features are designed with PHI minimization:

Business Associate Agreements

VendorServiceBAA Status
SupabaseDatabase hosting (ePHI storage)BAA Available
NetlifyHosting and serverless functionsBAA Available
AnthropicClaude AI API (clinical decision support)BAA Required Before Use

Your organization must execute a Business Associate Agreement with each vendor before deploying PatientTrac Surgery in a clinical environment. Contact each vendor's enterprise/compliance team to obtain BAA documentation.

Organizational Responsibilities

PatientTrac Surgery provides the technical platform. Your organization, as a Covered Entity, remains responsible for:

Security Incident Reporting

To report a suspected security incident or potential PHI breach, contact your organization's Security Officer immediately and follow your facility's incident response policy.