HIPAA
For US-based practices · BAA inquiries: compliance@chirovault.ai
Who this page is for
This page is for US-based chiropractic practices that handle Protected Health Information (PHI) under HIPAA. ChiroVault is primarily designed for the European market (GDPR, NEN 7510, WGBO), but we support US customers and offer the Business Associate Agreement and safeguards described here. European customers should refer to the Privacy Policy and Trust Center.
Our HIPAA status, accurately stated
ChiroVault applies HIPAA-aligned safeguards for eligible covered entities, with technical, administrative, and physical safeguards designed around HIPAA Security Rule expectations. HIPAA is not a certification program; we describe our safeguards, legal agreements, and operating controls for customer review. What we offer is a BAA review path, documented controls, and an architecture designed to support eligible covered-entity workflows. A diligent practice should review our controls and make its own determination.
Business Associate Agreement (BAA)
A BAA request path is available for eligible ChiroVault subscribers who handle PHI. Email compliance@chirovault.ai with your practice name and NPI. We review the request, confirm eligibility and subprocessors, and route the agreement for signature through the approved legal process.
The BAA covers: ChiroVault's obligations as a Business Associate, permitted uses of PHI, breach notification obligations (we notify you within 48 hours of a confirmed breach, leaving time for your 60-day HIPAA notification window), and return or destruction of PHI on termination.
Technical Safeguards
These controls are operationally implemented in the platform today.
- ✓Encryption in transit: TLS 1.3 on all endpoints. All data in transit is encrypted with no fallback to older protocols.
- ✓Encryption at rest: AES-256 for all stored data, including database records, file storage, and backups.
- ✓Unique user identification: no shared logins. Every access event is tied to an authenticated individual user account.
- ✓Automatic session timeout: sessions expire after configurable inactivity periods.
- ✓Role-based access control: minimum necessary principle enforced at the database layer via Row-Level Security. Assistants cannot access clinical data outside their assigned role.
- ✓Audit controls: tamper-evident append-only audit log for all PHI access, modifications, exports, and approvals. Log chain is cryptographically hash-linked.
- ✓Break-glass emergency access: support-level access to PHI requires documented reason, dual authorisation, and triggers notifications to the practice owner.
- ✓Automatic encrypted backups with point-in-time recovery.
Administrative Safeguards
These are the policy and procedure safeguards. Items marked ⚠ are implemented at the company level but have not yet been verified by a third-party auditor.
- ✓Documented security policies for PHI access, workforce responsibilities, and incident response.
- ✓Access authorisation and termination procedures: access is provisioned and de-provisioned through documented workflows.
- ✓Breach notification procedure: documented 48-hour internal detection-to-notification target, followed by BAA-required notification to the covered entity.
- ⚠Annual risk assessment: risk register maintained internally. Formal third-party risk assessment planned for 2026.
- ⚠Workforce training on PHI handling: internal training materials in place. Formal documented annual training cycle being established.
- ⚠Contingency plan: backup and disaster recovery procedures implemented. Formal tabletop exercise and documented BCP planned for 2026.
Physical Safeguards
- ✓Cloud infrastructure: hosted on Supabase (Postgres) and Cloudflare, both of which maintain SOC 2 Type II certification for their underlying infrastructure. ChiroVault inherits these physical controls for data centre access, environmental controls, and media disposal.
- ✓No on-premise hardware: ChiroVault has no physical servers. Infrastructure is cloud-native, reducing physical access risk.
- ✓Remote workforce controls: documented device policies, required encryption for any device accessing production systems.
AI and PHI
AI features in ChiroVault interact with clinical data. Here is exactly how that works:
- PHI scrubbing: before any content is sent to an external AI provider (OpenAI, Gemini), it passes through a PHI scrubbing layer that removes or tokenises direct identifiers.
- No training on PHI: patient data is never used to train AI models. This is enforced contractually with all AI sub-processors via DPA and BAA.
- Clinician approval required: AI-generated content — SOAP notes, referral letters, code suggestions — is a draft. It does not enter the patient record until the treating clinician explicitly reviews and approves it.
- Audit trail: every AI interaction is logged: what was sent, which model was used, what was returned, and who approved or rejected the output.
Sub-processor BAA Coverage
Sub-processors that may handle PHI are reviewed for downstream BAA or equivalent contractual coverage before they are enabled for eligible US PHI workflows. The current sub-processor list is available on request at compliance@chirovault.ai. We will publish the sub-processor list publicly on our Trust Center as we formalise our third-party review programme.
Request Documentation
To request any of the following, email compliance@chirovault.ai with your practice name and NPI:
- Signed Business Associate Agreement (BAA)
- HIPAA controls summary
- Sub-processor list
- Security questionnaire responses