# HIPAA (backend)

## 🟢 *<mark style="color:red;">100%</mark>*. Complian&#x74;***.** <mark style="color:purple;">Backend</mark>**.***

* **Server Management**
  * We run our own self-hosted servers
  * We run everything in a fully compliant 100% Private Network
  * we are responsible for ALL security configurations (firewalls, updates, application security).&#x20;
  * We have done all of those and more

{% content-ref url="/pages/pD0nMCoibNNyguZMv5LF" %}
[Compliant LLM Gateway](/lisaiceland/platform+/subprocessors/compliant-llm-gateway.md)
{% endcontent-ref %}

* **Security Software**
  * We have installed and configured our own security software (antivirus, intrusion detection).&#x20;
* ***Firewalls and antivirus alone are not enough for HIPAA***
  * We know this. We have taken steps to close all gaps.
  * It's a comprehensive framework requiring policies, procedures, and specific technical safeguards.&#x20;
  * We have these in place.

{% content-ref url="/pages/H5L4SlZuxVJvnS8az15Y" %}
[Security+](/lisaiceland/platform+/security+.md)
{% endcontent-ref %}

## 🟢 Specifi&#x63;***.** <mark style="color:purple;">Services</mark>*. Implemented.

<figure><img src="/files/58kDUhqnpYedWt18KBxg" alt=""><figcaption></figcaption></figure>

* [x] private networking
* [x] dedicated servers/colocation
* [x] configuring advanced security (encryption, access controls, logging)&#x20;
* [x] signing a Business Associate Agreement (BAA) with Contabo&#x20;
* [x] and implementing strict protocols for&#x20;
  * data handling
  * access
  * backup
  * and disaster recovery

> ### Compliance is a shared responsibility requiring technical setup *<mark style="color:red;">**and**</mark>* robust policies for ePHI.&#x20;

### **Key Steps Taken:**

* [x] **The Right Infrastructure:**

- **Dedicated Servers/Colocation**
  * We have implemented dedicated servers for greater control and isolation, rather than shared hosting, as PHI needs secure, isolated environments.
- **Private Networking**
  * We use private network feature to keep our server traffic secure and separate from the public internet.

* [x] **Implement Technical Safeguards:**

- **Encryption**
  * We encrypt all Protected Health Information (PHI) both "at rest" (on the server) and "in transit" (using SSL/TLS for web traffic).
- **Access Controls**
  * We have set up strong user authentication (2FA), unique logins, and role-based access to limit who can see ePHI.
- **Audit Logs & Monitoring:** We have enable detailed logging of all access and activity on the server and monitor for suspicious events in real-time.
- **Secure File Transfer**
  * We use SFTP (Secure File Transfer Protocol) for all data transfers.
  * We also use SSH (Secure Shell), a network protocol that establishes encrypted connections between all our computers for secure remote access. It operates on TCP port 22 and provides authentication, encryption, and integrity to protect data transmitted over unsecured networks.

* [x] **Address Administrative & Physical Safeguards:**

- **Risk Assessments**
  * Conduct regular, documented risk assessments of your server environment.
- **Data Backup & Recovery**
  * We implement secure, regular backups with tested disaster recovery plans for your ePHI.
- **Breach Notification Plan**
  * We have clear procedures for detecting, responding to, and reporting data breaches
- [**Zero Trust Architecture**](https://en.wikipedia.org/wiki/Zero_trust_architecture)

{% content-ref url="/pages/UuEKJTHcgkD0c5kkHEeO" %}
[Zero Trust Architecture](/lisaiceland/platform+/subprocessors/zero-trust-architecture.md)
{% endcontent-ref %}

* [**Business Associate Agreement (BAA)**](https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf)

{% content-ref url="/pages/ZdiLlpsvZKtmZRfhWQ3v" %}
[BAA](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/hipaa/baa.md)
{% endcontent-ref %}

## 🟢 HIPAA-Complian&#x74;***.** <mark style="color:purple;">Frontend</mark>**.***

{% content-ref url="/pages/P3iHwVPYapmt5DcsJm8Z" %}
[HIPAA (frontend)](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/hipaa/hipaa-frontend.md)
{% endcontent-ref %}

## 🟢 PCI *<mark style="color:purple;">**DSS**</mark>*. SOC&#x32;***.** <mark style="color:purple;">Compliance</mark>**.***

{% content-ref url="/pages/8ptP0Uu63pyd41Tz8Gk2" %}
[SOC-2 Type II](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii.md)
{% endcontent-ref %}

{% content-ref url="/pages/T8dGT7G5BB6uWtvVypaZ" %}
[PCI DSS](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/pci-dss.md)
{% endcontent-ref %}

## 🟢 Compliant. *<mark style="color:purple;">Subprocessors</mark>*.

{% content-ref url="/pages/zOdTb60zu7o6SbmAMjVq" %}
[Compliant Subprocessors](/lisaiceland/platform+/subprocessors/compliant-subprocessors.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nexas-ridewiz.gitbook.io/lisaiceland/privacy+/hipaa-or-soc2-or-pci/hipaa/hipaa-backend.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.