HIPAA Compliance

Your Data Security is Our Priority

Lighthouse Health is HIPAA compliant and serves as a Business Associate to healthcare organizations

Our Commitment

As a Business Associate serving Federally Qualified Health Centers and healthcare providers, Lighthouse Health takes HIPAA compliance seriously. We have implemented comprehensive administrative, physical, and technical safeguards to protect Protected Health Information (PHI) entrusted to us.

Business Associate Agreement (BAA)

We execute a Business Associate Agreement with all clients before any PHI is transmitted to our platform. Our BAA complies with HIPAA regulations and clearly defines:

  • Permitted uses and disclosures of PHI
  • Safeguards to protect PHI
  • Breach notification procedures
  • Subcontractor requirements
  • Audit and compliance rights
  • Termination procedures

Technical Safeguards

Encryption

  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Data at Rest: AES-256 encryption for all stored data
  • Database Encryption: Field-level encryption for sensitive data
  • Backup Encryption: All backups are encrypted

Access Controls

  • Role-Based Access: Users only see data relevant to their role
  • Multi-Factor Authentication: Available for all users
  • Session Management: Automatic timeout after inactivity
  • Audit Logging: All access and changes are logged

Infrastructure Security

  • Hosting: HIPAA-compliant AWS infrastructure
  • Database: Supabase with HIPAA compliance features
  • Firewalls: Network-level protection and intrusion detection
  • Monitoring: 24/7 system monitoring and alerting

Administrative Safeguards

Policies and Procedures

  • Comprehensive HIPAA compliance policies
  • Regular policy review and updates
  • Incident response procedures
  • Business continuity and disaster recovery plans

Workforce Training

  • Annual HIPAA training for all team members
  • Security awareness training
  • Incident response training
  • Ongoing security education

Risk Management

  • Annual risk assessments
  • Regular security audits
  • Penetration testing
  • Vulnerability scanning

Physical Safeguards

  • Data Center Security: AWS Tier III+ data centers with 24/7 security
  • Environmental Controls: Redundant power, cooling, and connectivity
  • Access Restrictions: Physical access controls and monitoring
  • Device Security: Encrypted devices, remote wipe capabilities

Data Minimization

We follow the principle of minimum necessary PHI:

  • We only collect PHI required for revenue recovery analytics
  • Clinical notes and detailed medical records are not collected
  • De-identification is used whenever possible
  • Data is retained only as long as necessary

Breach Notification

In the unlikely event of a breach:

  • Affected clients are notified within 24 hours of discovery
  • Detailed breach assessment provided
  • Mitigation steps implemented immediately
  • Regulatory reporting handled as required
  • Post-incident review and improvements

Subcontractors

All subcontractors who may access PHI are HIPAA-compliant and sign Business Associate Agreements:

  • AWS: Cloud hosting and infrastructure
  • Supabase: Database services
  • Clerk: Authentication services

Compliance Certifications

HIPAA Compliant

Full compliance with HIPAA Privacy, Security, and Breach Notification Rules

SOC 2 Type II

In progress - expected Q3 2026

HITRUST

Roadmap for 2027

Regular Audits

Annual third-party security assessments

Your Responsibilities

While we provide comprehensive safeguards, security is a shared responsibility:

  • Execute our Business Associate Agreement before uploading PHI
  • Use strong passwords and enable multi-factor authentication
  • Limit access to authorized users only
  • Report any suspected security incidents immediately
  • Follow your organization's HIPAA policies
  • Ensure uploaded data is accurate and necessary

Request Documentation

We provide comprehensive compliance documentation to support your due diligence:

  • Business Associate Agreement (BAA)
  • Security policies and procedures
  • Audit reports (upon execution of NDA)
  • Infrastructure security documentation
  • Subcontractor BAAs

Questions?

For questions about our HIPAA compliance or to report a security concern:

Security & Compliance Team

Email: security@lighthousehealthai.com

Email: privacy@lighthousehealthai.com

24/7 Security Hotline: available on enterprise engagements