HIPAA Compliant Healthcare Technology

HIPAA Compliance

Last Updated: October 6, 2025

Our Commitment to HIPAA Compliance

VisionScan, Inc. is fully committed to protecting patient health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, including all subsequent amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

As a Business Associate providing healthcare technology services to Covered Entities, we maintain comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI).

HIPAA Security Rule Compliance

Administrative Safeguards

  • Security Management Process: Risk analysis, risk management, sanction policy, and information system activity review procedures
  • Workforce Security: Authorization procedures, workforce clearance, and termination procedures for all personnel accessing PHI
  • Security Training: Mandatory HIPAA training for all employees, with annual refresher courses and role-specific training modules
  • Security Incident Procedures: Comprehensive incident response plan with breach notification protocols meeting regulatory timelines
  • Contingency Planning: Data backup plans, disaster recovery procedures, and emergency mode operations
  • Business Associate Agreements: Fully executed BAAs with all subcontractors and vendors handling PHI

Physical Safeguards

  • Facility Access Controls: Secure data centers with 24/7 monitoring, biometric access controls, and visitor logging
  • Workstation Security: Locked screens, clean desk policies, and secure disposal procedures for physical media
  • Device and Media Controls: Encrypted mobile devices, secure media disposal, and accountability procedures
  • Controlled Physical Environment: SOC 2 Type II certified data centers with redundant power, cooling, and network infrastructure

Technical Safeguards

  • Access Controls: Unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption capabilities
  • Audit Controls: Comprehensive logging of all PHI access with tamper-proof audit trails maintained for 7 years
  • Integrity Controls: Mechanisms to authenticate PHI and ensure it has not been improperly altered or destroyed
  • Transmission Security: End-to-end encryption for all PHI in transit using TLS 1.3 and AES-256 encryption at rest
  • Authentication: Multi-factor authentication required for all user accounts accessing PHI

HIPAA Privacy Rule Compliance

VisionScan adheres to all HIPAA Privacy Rule requirements:

  • Minimum Necessary Standard: Access to PHI is limited to the minimum necessary for intended purposes
  • Notice of Privacy Practices: Patients receive clear notice of how their information may be used and disclosed
  • Patient Rights: We support patient rights to access, amend, and obtain an accounting of PHI disclosures
  • Uses and Disclosures: PHI is only used/disclosed for treatment, payment, healthcare operations, or with patient authorization
  • Marketing and Fundraising: We do not use PHI for marketing without explicit authorization
  • Research: De-identified data only for research purposes; IRB-approved protocols for studies involving identifiable data

Data Encryption and Security

  • Encryption at Rest: AES-256 encryption for all stored PHI on servers and databases
  • Encryption in Transit: TLS 1.3 for all data transmission with perfect forward secrecy
  • Database Security: Encrypted database fields, parameterized queries, and SQL injection prevention
  • Key Management: Hardware Security Modules (HSMs) for encryption key storage with regular key rotation
  • Endpoint Protection: Full disk encryption on all devices accessing PHI

Business Associate Compliance

As a HIPAA Business Associate, VisionScan:

  • Maintains executed Business Associate Agreements with all Covered Entity clients
  • Ensures all subcontractors sign BAAs before handling any PHI
  • Provides breach notification to Covered Entities within required timeframes
  • Makes PHI available to individuals and HHS as required
  • Accounts for PHI disclosures as requested by Covered Entities
  • Returns or destroys PHI upon termination of services per agreement terms

Breach Notification Procedures

In the unlikely event of a breach of unsecured PHI:

  • Detection and Assessment: Continuous monitoring systems detect and escalate potential breaches within minutes
  • Notification Timeline: Covered Entities notified within 24 hours of breach discovery
  • Individual Notification: Affected individuals notified within 60 days as required by law
  • HHS Notification: Secretary of HHS notified within 60 days for breaches affecting 500+ individuals
  • Media Notification: Prominent media outlets notified for breaches affecting 500+ state residents
  • Breach Log: Detailed incident documentation maintained for regulatory review

Regular Security Assessments

  • Annual Risk Analysis: Comprehensive HIPAA risk assessment conducted annually
  • Penetration Testing: Third-party security testing performed quarterly
  • Vulnerability Scanning: Automated daily scans with immediate remediation of critical findings
  • Security Audits: Independent third-party HIPAA audits conducted annually
  • SOC 2 Type II: Annual attestation of security controls by certified auditors

Workforce Training and Awareness

  • All employees complete HIPAA training within 30 days of hire
  • Annual refresher training required for all personnel
  • Role-specific training for developers, security team, and support staff
  • Quarterly security awareness campaigns and phishing simulations
  • Incident response drills conducted semi-annually
  • Documentation of all training completion maintained

Vendor Management

All third-party vendors and subcontractors who may access PHI:

  • Undergo security assessments before engagement
  • Sign Business Associate Agreements with equivalent security requirements
  • Are subject to ongoing monitoring and periodic re-assessment
  • Must report security incidents within specified timeframes
  • Maintain their own HIPAA compliance programs

Infrastructure and Data Center Security

VisionScan utilizes SOC 2 Type II certified cloud infrastructure with:

  • Geographic redundancy across multiple availability zones
  • 99.99% uptime SLA with automatic failover capabilities
  • Physical security including biometric access, 24/7 surveillance, and security personnel
  • Environmental controls (fire suppression, climate control, power redundancy)
  • Network segmentation isolating PHI from other data
  • Intrusion detection and prevention systems (IDS/IPS)
  • DDoS protection and Web Application Firewall (WAF)

Patient Rights Under HIPAA

Through VisionScan's platform, patients can exercise their HIPAA rights:

  • Right to Access: Request and receive copies of their PHI within 30 days
  • Right to Amend: Request corrections to inaccurate health information
  • Right to Accounting: Receive an accounting of PHI disclosures (excluding TPO)
  • Right to Restrict: Request restrictions on certain uses and disclosures
  • Right to Confidential Communications: Request communications through specific methods
  • Right to Opt-Out: Decline certain uses of information for research or quality improvement

State Privacy Law Compliance

In addition to HIPAA, VisionScan complies with state-specific privacy laws:

  • California: CCPA/CPRA compliance for California residents
  • California Confidentiality of Medical Information Act (CMIA): Additional protections for medical information
  • State Breach Notification Laws: Compliance with all state-specific breach notification requirements
  • Biometric Privacy: Compliance with Illinois BIPA and other state biometric laws for retinal imaging

Ongoing Compliance Program

VisionScan maintains an active compliance program including:

  • Designated Privacy Officer and Security Officer with direct C-suite reporting
  • Privacy and Security Committee meeting monthly
  • Compliance monitoring and auditing program
  • Sanctions policy for workforce violations
  • Whistleblower protection and anonymous reporting hotline
  • Continuous improvement process informed by industry best practices

Certifications and Attestations

  • SOC 2 Type II (Security, Availability, Confidentiality)
  • HITRUST CSF Certified
  • ISO 27001 Certified Information Security Management System
  • FDA 510(k) Cleared Medical Device (for AI diagnostic algorithms)
  • Annual third-party HIPAA compliance audits

Questions or Concerns

For HIPAA-related questions, compliance concerns, or to exercise your privacy rights:

  • HIPAA Privacy Officer: privacy@visionscan.io
  • HIPAA Security Officer: security@visionscan.io
  • Compliance Hotline: (415) 555-0199 (available 24/7)
  • Mail: VisionScan, Inc., Attn: HIPAA Compliance Officer, 1123 Claire St, Suite 104, San Francisco, CA 94102

VisionScan's HIPAA compliance program is reviewed and updated regularly to reflect current regulations and industry best practices. This page represents our current compliance posture as of the last update date.

SOC 2 Type II

Certified security controls

AES-256 Encryption

Military-grade protection

HITRUST Certified

Industry gold standard

Annual Training

All workforce members