HIPAA

HIPAA compliance,
built in.

When your agency dispatches medical care, the data is medical data. Hatzalah.Live operates as a HIPAA business associate by default — with BAAs, safeguards, and audit trails to back it up.

Request a BAA Security overview
OUR COMMITMENTS

What we do for every covered entity

These are the table-stakes commitments we make in every BAA we sign. Detailed safeguards are below.

BAAs available
We sign a Business Associate Agreement with every covered entity before any PHI is processed.
Encryption in transit
TLS 1.2+ enforced on every endpoint with HSTS and modern cipher suites. Encryption-at-rest is on our roadmap as we expand managed-database coverage.
Access controls
Role-based access, MFA-enforced admin login, least-privilege defaults, and time-limited support access.
Audit logging
PHI reads, writes, and configuration changes are logged with user, timestamp, and IP. Retention is configured to meet your BAA's requirements.
Workforce training
Personnel with PHI access complete HIPAA training as part of onboarding and on policy updates.
Breach notification
Documented incident-response procedures and contractual commitments for timely notification of suspected breaches.
SAFEGUARDS

Administrative, technical & physical

A layered approach to protecting PHI — across people, systems, and facilities.

Administrative safeguards

  • Designated Security Officer and Privacy Officer.
  • Documented policies, procedures, and risk assessments reviewed annually.
  • Workforce training, sanctions policy, and access-management procedures.
  • Vendor risk management for all subprocessors handling PHI.

Technical safeguards

  • Encryption in transit (TLS 1.2+) on every endpoint.
  • Multi-factor authentication for all admin access.
  • Tenant isolation at the database and application layers.
  • Continuous monitoring with intrusion detection and alerting.

Physical safeguards

  • Hosted on US-based public cloud infrastructure that operates SOC 2 Type II audited data centers.
  • Physical security (biometric / badge access, environmental controls) is managed by the hosting provider.
  • Redundant power, cooling, and network connectivity at the hosting layer.
  • Media handling and disposal in accordance with the hosting provider's published controls.
IMPORTANT

HIPAA is a shared responsibility

No platform alone makes an organization HIPAA-compliant. Hatzalah.Live provides the technical and administrative controls a covered entity needs from a business associate; your agency remains responsible for workforce training, policies, and physical safeguards within its own environment.

If you have specific HIPAA questions or need our BAA, full security questionnaire response, or details on a particular control, email [email protected].

COMPLIANCE READY

Need our BAA or security questionnaire?

We respond to compliance requests within one business day, including DDQs, SIG, and HECVAT.

Email [email protected] Security overview