HIPAA Compliance
DocLD provides features to help healthcare organizations comply with HIPAA regulations when processing documents containing Protected Health Information (PHI). See also GDPR, ISO 27001, and the Overview Security & Compliance section.
Overview
HIPAA (Health Insurance Portability and Accountability Act) protects sensitive patient health information. DocLD’s HIPAA features help you:
- Audit PHI access - Track who accesses health information
- Control access - Role-based access controls
- Detect PHI - Automatic PHI detection in content
- Manage BAAs - Business Associate Agreements
- Emergency access - Documented emergency access procedures
Enabling HIPAA Mode
HIPAA compliance features are enabled at the organization level:
- Go to Settings → Organization
- Enable HIPAA Compliance Mode
- Review and accept additional terms
- Configure HIPAA settings
When enabled:
- Additional audit logging is activated
- PHI detection runs on all content
- Deletion requires documented reasons
- Enhanced access controls apply
PHI Detection
DocLD automatically detects PHI in documents:
Detected PHI Types
| Type | Examples |
|---|---|
| Names | Patient names, provider names |
| Dates | Birth dates, admission dates |
| Identifiers | SSN, MRN, insurance IDs |
| Contact | Addresses, phone numbers, emails |
| Medical | Diagnoses, medications, procedures |
Detection Response
When PHI is detected:
- Content is flagged in audit logs
- Access is logged with PHI types
- Enhanced security headers are applied
Audit Logging
All PHI access is comprehensively logged:
Audit Events
| Event | Description |
|---|---|
phi_accessed | PHI was viewed |
phi_modified | PHI was edited |
phi_deleted | PHI was deleted |
phi_exported | PHI was exported |
Audit Log Fields
{
"id": "uuid",
"user_id": "user-uuid",
"user_email": "user@healthcare.org",
"action": "phi_accessed",
"resource_type": "document",
"resource_id": "doc-uuid",
"phi_types": ["patient_name", "medical_record_number", "diagnosis"],
"phi_count": 15,
"access_type": "view",
"purpose_of_access": "Treatment review",
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0...",
"created_at": "2024-01-15T10:00:00Z"
}Viewing Audit Logs
Access audit logs from:
- Settings → HIPAA → Audit Logs
- Document detail page → Audit tab
- API:
GET /api/documents/{id}/audit
Access Controls
HIPAA Roles
| Role | Description |
|---|---|
covered_entity | Healthcare provider |
business_associate | Service provider |
workforce_member | Employee/contractor |
Role Assignment
Assign HIPAA roles to users:
- Go to Settings → HIPAA → Roles
- Select user
- Assign appropriate role
- Document assignment reason
Access Requirements
When HIPAA mode is enabled:
| Operation | Requirements |
|---|---|
| View document | Access reason logged |
| Delete document | Deletion reason required |
| Export data | Purpose documented |
Business Associate Agreements
Manage BAAs for service providers:
Creating a BAA
- Go to Settings → HIPAA → BAAs
- Click Add Business Associate
- Enter BA details:
- Name and contact
- Agreement URL
- Effective dates
- Upload signed agreement
BAA Fields
{
"id": "uuid",
"organization_id": "org-uuid",
"ba_name": "Processing Service Inc",
"ba_contact": "John Smith",
"ba_email": "john@processing.com",
"agreement_url": "https://...",
"signed_at": "2024-01-01T00:00:00Z",
"expires_at": "2025-01-01T00:00:00Z",
"status": "active"
}BAA Statuses
| Status | Description |
|---|---|
active | Agreement in effect |
expired | Agreement expired |
terminated | Agreement terminated |
Emergency Access
For break-the-glass scenarios:
Requesting Emergency Access
- Go to Settings → HIPAA → Emergency Access
- Click Request Emergency Access
- Provide:
- Reason for emergency
- Justification
- Resources needed
- Access is granted and logged
Emergency Access Log
{
"id": "uuid",
"user_id": "requesting-user",
"emergency_user_id": "user-granted-access",
"reason": "Medical emergency",
"justification": "Patient in critical condition, need immediate record access",
"granted_at": "2024-01-15T10:00:00Z",
"revoked_at": "2024-01-15T11:00:00Z"
}Security Headers
HIPAA-compliant responses include security headers:
X-HIPAA-Audit-Id: audit-uuid
X-HIPAA-Access-Logged: true
Cache-Control: no-store
Pragma: no-cacheAPI Headers
When accessing PHI via API:
Required Headers
| Header | Description |
|---|---|
X-Access-Reason | Purpose of access |
X-Deletion-Reason | Reason for deletion (delete operations) |
Example
curl -X GET "/api/documents/{id}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Access-Reason: Treatment review for patient care"Session Management
HIPAA sessions have enhanced controls:
- Auto-logout - Sessions expire after inactivity
- Session tracking - All sessions logged
- Concurrent session limits - Configurable limits
Data Protection
Encryption
| Layer | Method |
|---|---|
| At rest | AES-256 |
| In transit | TLS 1.3 |
| Backups | Encrypted |
Access Logging
All access is logged:
- Who accessed what
- When access occurred
- From what IP/device
- Purpose of access
Best Practices
- Document everything - Log access reasons
- Minimum necessary - Only access needed PHI
- Regular audits - Review access logs weekly
- Training - Ensure staff understand HIPAA
- BAAs in place - Have agreements with all BAs
- Incident response - Know breach procedures
Technical Safeguards
DocLD implements:
- Unique user identification
- Emergency access procedures
- Automatic logoff
- Encryption and decryption
- Audit controls
- Integrity controls
- Authentication
- Transmission security
Last updated on