Lighthouse Health is HIPAA compliant and serves as a Business Associate to healthcare organizations
Our Commitment
As a Business Associate serving Federally Qualified Health Centers and healthcare providers, Lighthouse Health takes HIPAA compliance seriously. We have implemented comprehensive administrative, physical, and technical safeguards to protect Protected Health Information (PHI) entrusted to us.
Business Associate Agreement (BAA)
We execute a Business Associate Agreement with all clients before any PHI is transmitted to our platform. Our BAA complies with HIPAA regulations and clearly defines:
- Permitted uses and disclosures of PHI
- Safeguards to protect PHI
- Breach notification procedures
- Subcontractor requirements
- Audit and compliance rights
- Termination procedures
Technical Safeguards
Encryption
- Data in Transit: TLS 1.3 encryption for all data transmission
- Data at Rest: AES-256 encryption for all stored data
- Database Encryption: Field-level encryption for sensitive data
- Backup Encryption: All backups are encrypted
Access Controls
- Role-Based Access: Users only see data relevant to their role
- Multi-Factor Authentication: Available for all users
- Session Management: Automatic timeout after inactivity
- Audit Logging: All access and changes are logged
Infrastructure Security
- Hosting: HIPAA-compliant AWS infrastructure
- Database: Supabase with HIPAA compliance features
- Firewalls: Network-level protection and intrusion detection
- Monitoring: 24/7 system monitoring and alerting
Administrative Safeguards
Policies and Procedures
- Comprehensive HIPAA compliance policies
- Regular policy review and updates
- Incident response procedures
- Business continuity and disaster recovery plans
Workforce Training
- Annual HIPAA training for all team members
- Security awareness training
- Incident response training
- Ongoing security education
Risk Management
- Annual risk assessments
- Regular security audits
- Penetration testing
- Vulnerability scanning
Physical Safeguards
- Data Center Security: AWS Tier III+ data centers with 24/7 security
- Environmental Controls: Redundant power, cooling, and connectivity
- Access Restrictions: Physical access controls and monitoring
- Device Security: Encrypted devices, remote wipe capabilities
Data Minimization
We follow the principle of minimum necessary PHI:
- We only collect PHI required for revenue recovery analytics
- Clinical notes and detailed medical records are not collected
- De-identification is used whenever possible
- Data is retained only as long as necessary
Breach Notification
In the unlikely event of a breach:
- Affected clients are notified within 24 hours of discovery
- Detailed breach assessment provided
- Mitigation steps implemented immediately
- Regulatory reporting handled as required
- Post-incident review and improvements
Subcontractors
All subcontractors who may access PHI are HIPAA-compliant and sign Business Associate Agreements:
- AWS: Cloud hosting and infrastructure
- Supabase: Database services
- Clerk: Authentication services
Compliance Certifications
HIPAA Compliant
Full compliance with HIPAA Privacy, Security, and Breach Notification Rules
SOC 2 Type II
In progress - expected Q3 2026
Regular Audits
Annual third-party security assessments
Your Responsibilities
While we provide comprehensive safeguards, security is a shared responsibility:
- Execute our Business Associate Agreement before uploading PHI
- Use strong passwords and enable multi-factor authentication
- Limit access to authorized users only
- Report any suspected security incidents immediately
- Follow your organization's HIPAA policies
- Ensure uploaded data is accurate and necessary
Request Documentation
We provide comprehensive compliance documentation to support your due diligence:
- Business Associate Agreement (BAA)
- Security policies and procedures
- Audit reports (upon execution of NDA)
- Infrastructure security documentation
- Subcontractor BAAs
Questions?
For questions about our HIPAA compliance or to report a security concern:
Security & Compliance Team
Email: security@lighthousehealthai.com
Email: privacy@lighthousehealthai.com
24/7 Security Hotline: available on enterprise engagements