HIPAA compliance.

Complete compliance matrix. What is live today and what is in process. The honest accounting is a governance signal.

HIPAA Requirement	How HarnessHealth addresses it	Status
BAA with covered entities	Available on request	Available
PHI encryption at rest	Supabase AES-256 encryption	Live
PHI encryption in transit	TLS 1.3 via Railway (SOC 2 Type II)	Live
Access controls	Row-level security in Supabase	Live
Audit logging	Every attestation event logged with NPI, timestamp, and document hash	Live
No PHI in AI training	Confirmed — AI API calls include no persistent PHI retention by model provider	Live
Minimum necessary standard	Role-based data access enforced at API layer	Live
Business Associate status	HarnessHealth operates as a Business Associate for covered entity partners	BAA available
Breach notification	60-day notification per HIPAA Rule; policy documented	Policy available
SSO architecture	One Supabase identity across all 45+ ecosystem sites; no PHI fragmentation	Live
FHIR R4 compliant output	Open source connectors, MIT licensed	Live
OIG AO 25-03 alignment	Flat per-encounter fee structure, not percentage-based	Live
Formal Security Risk Assessment	In process	Q2 2026
Penetration test report	In schedule	Q2 2026
FDA device registration	Required for RTM billing via CPT 98975-98981	In process

Request a BAA

Business Associate Agreements are available for covered entity partners. The BAA is available within 2 business days of a qualified request. Submit your request via the health systems evaluation form.

Request a BAA