1. Our Commitment
AutoClawed recognizes the critical importance of protecting Protected Health Information (PHI) in the healthcare industry. We are committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable regulations issued by the U.S. Department of Health and Human Services (HHS).
As a provider of AI automation services to healthcare organizations, AutoClawed operates as a Business Associate under HIPAA when our services involve the creation, receipt, maintenance, or transmission of PHI on behalf of Covered Entities.
2. Business Associate Agreements
Before handling any PHI, AutoClawed enters into a Business Associate Agreement (BAA) with each healthcare client. Our BAA covers:
- Permitted uses and disclosures of PHI
- Obligations to safeguard PHI using appropriate safeguards
- Requirements to report breaches and security incidents
- Requirements for subcontractor compliance
- Client rights to access, amendment, and accounting of disclosures
- Return or destruction of PHI upon termination
If you require a BAA, please contact us to initiate the process.
3. Administrative Safeguards
We maintain comprehensive administrative safeguards to protect PHI:
- Security Officer: A designated HIPAA Security Officer oversees all compliance activities
- Workforce Training: All employees with access to PHI receive mandatory HIPAA training upon hiring and annually thereafter
- Access Management: Role-based access controls ensure employees only access the minimum necessary PHI required for their job function
- Risk Assessments: Annual comprehensive risk assessments identify vulnerabilities and inform our security strategy
- Incident Response: Documented incident response procedures for identifying, containing, and reporting security incidents
- Sanction Policy: Clear disciplinary measures for employees who violate HIPAA policies
- Contingency Planning: Data backup, disaster recovery, and emergency mode operation plans are in place and regularly tested
4. Physical Safeguards
- Facility Access Controls: Physical access to systems containing PHI is restricted to authorized personnel
- Workstation Security: All workstations with PHI access are secured with automatic locks, encryption, and access controls
- Device Management: Portable devices are encrypted and subject to remote wipe capabilities
- Disposal Procedures: Hardware and media containing PHI are securely wiped or destroyed before disposal
5. Technical Safeguards
Encryption
All PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256). End-to-end encryption for all data transfers.
Access Controls
Multi-factor authentication, unique user IDs, automatic session timeouts, and role-based permissions.
Audit Logging
Comprehensive audit trails record all access to PHI, including who accessed what, when, and from where.
Integrity Controls
Mechanisms to ensure PHI is not improperly altered or destroyed, with checksums and version control.
Transmission Security
All PHI transmitted electronically is protected against unauthorized access during transmission.
Network Security
Firewalls, intrusion detection, vulnerability scanning, and network segmentation to isolate PHI systems.
6. AI-Specific Safeguards
Given our use of AI technology in healthcare automation, we implement additional safeguards specific to AI processing of PHI:
- Data Minimization: Our AI systems process only the minimum necessary PHI required to perform the automation task
- No Training on PHI: Client PHI is never used to train our AI models without explicit written consent and appropriate de-identification
- Isolated Processing: PHI is processed in isolated, dedicated environments — never co-mingled with other clients' data
- Output Validation: AI-generated outputs involving PHI are subject to accuracy checks and validation protocols
- Audit Trails: All AI interactions with PHI are logged for compliance and review purposes
- Human Oversight: Critical decisions involving PHI include human-in-the-loop review capabilities
7. Breach Notification
In the event of a breach of unsecured PHI, AutoClawed will:
- Notify the affected Covered Entity within 24 hours of discovery (exceeding the HIPAA requirement of 60 days)
- Provide detailed information about the breach including the nature and extent of PHI involved
- Identify the individuals whose PHI was or may have been compromised
- Describe the steps taken to investigate and mitigate the breach
- Cooperate fully with the Covered Entity's breach response and notification process
- Implement corrective actions to prevent future incidents
8. Subcontractor Management
When AutoClawed engages subcontractors that may access PHI, we:
- Execute BAAs with all subcontractors before granting access to PHI
- Perform due diligence assessments of subcontractor security practices
- Regularly audit subcontractor compliance with HIPAA requirements
- Maintain a current inventory of all subcontractors with PHI access
9. Patient Rights
AutoClawed supports Covered Entities in fulfilling patient rights under HIPAA, including:
- Right to Access: We facilitate timely access to PHI maintained in our systems
- Right to Amendment: We support requests to amend PHI and maintain records of amendments
- Right to Accounting of Disclosures: We maintain logs of disclosures and provide them upon request
- Right to Request Restrictions: We accommodate reasonable restrictions on PHI use and disclosure
- Right to Confidential Communications: We support alternative communication channels when requested
10. Minimum Necessary Standard
AutoClawed adheres to the HIPAA Minimum Necessary Standard. We limit the use, disclosure, and requests for PHI to the minimum amount necessary to accomplish the intended purpose. This is enforced through:
- Role-based access controls aligned with job responsibilities
- Data segmentation and field-level access restrictions
- Regular reviews of access permissions
- AI systems configured to access only required data fields
11. Regular Audits & Assessments
AutoClawed conducts regular compliance activities including:
- Annual HIPAA risk assessments
- Quarterly internal security audits
- Annual penetration testing by third-party security firms
- Ongoing vulnerability scanning and remediation
- Periodic review and update of all HIPAA policies and procedures
12. De-Identification
When PHI is used for analytics, reporting, or service improvement, AutoClawed applies de-identification methods compliant with HIPAA standards using either:
- Expert Determination Method (§164.514(b)(1)): A qualified statistical expert certifies that the risk of identification is very small
- Safe Harbor Method (§164.514(b)(2)): All 18 specified identifiers are removed from the data set
13. Questions & BAA Requests
If you have questions about our HIPAA compliance practices or would like to request a Business Associate Agreement, please contact us:
AutoClawed — HIPAA Compliance
Contact Form
Website: autoclawed.com
For urgent security concerns or to report a potential breach, please reach out immediately through our contact form with "URGENT: Security" in the message.