HIPAA Business Associate Self-Attestation

Role

PracticeIQ operates as a Business Associate (per 45 CFR § 160.103) of the dental / medical practices (Covered Entities) who contract with us. We access, process, and store Protected Health Information (PHI) strictly to provide the AI receptionist service described in each BAA.

Privacy Rule — 45 CFR Part 164 Subpart E

• PHI is used and disclosed only as permitted by the executed BAA (treatment/payment/operations of the Covered Entity).
• Minimum Necessary: our RAG retrieval limits context to 5 knowledge chunks per LLM call, scoped to the Covered Entity's clinic_id.
• Every BAA is signed before any PHI transmission or storage begins.
• PHI is never used for model fine-tuning, marketing, or sold to any third party.
• Subprocessors (AWS, Vapi, Twilio, Google Gemini, Resend) each have signed BAAs or DPAs as required.

Security Rule — 45 CFR § 164.308, .310, .312

Administrative safeguards (§ 164.308)

• Designated Security Officer (Christian Garcia, founder).
• Risk analysis + management program reviewed quarterly.
• Workforce clearance: single-founder phase; staff additions require signed confidentiality + annual training.
• Sanction policy documented in internal runbook.
• Information system activity review: automated audit_log triggers on every PHI write.
• Contingency plan: S3 offsite backups (encrypted, versioned), 7-year retention, tested restore procedure.
• Emergency access procedure: documented SSH + SSM break-glass paths with audit trail.

Physical safeguards (§ 164.310)

• All PHI hosted on AWS us-east-2 (SOC 2 + HIPAA-eligible). No physical servers owned by PracticeIQ.
• AWS executes BAA covering data-center physical security.
• Workforce device access: founder-only, encrypted laptop, FileVault + strong password + 2FA on cloud consoles.

Technical safeguards (§ 164.312)

• Access control: per-user authentication (bcrypt cost-12) + session tokens + automatic logoff (30-day max session).
• Audit controls: PostgreSQL triggers log every PHI table INSERT/UPDATE/DELETE to audit_log with PHI fields redacted (verified via 176-scenario soak test suite).
• Integrity: content hash signed on every clinical note attestation (tamper detection).
• Transmission security: TLS 1.2+ everywhere, DKIM-signed email, HMAC-verified webhooks (Vapi, Twilio, Stripe).
• Encryption at rest: KMS-encrypted EBS volume; SSE-AES256 on S3 objects; SSM Parameter Store for secrets.

Breach Notification Rule — 45 CFR § 164.400–414

• Written breach response plan with 60-day notification deadline to Covered Entities.
• Automated alerting on anomalous audit log patterns (bulk reads, cross-tenant access attempts).
• Public incident disclosure via /status page within 24 hours of discovery.
• Annual tabletop exercise scheduled (first one Q3 2026).

Verifiable evidence

Everything above is backed by running code and automated tests:

• Full soak test suite: 176 adversarial scenarios × 20 consecutive passes — public summary
• Audit log PHI redactor: public.audit_redact_phi() — stripped fields documented
• Subprocessor list with signed BAAs/DPAs: /legal/subprocessors
• Uptime + service health: /status

Attestation

I attest that the controls described above are implemented and maintained as of the effective date. This attestation is self-certified by PracticeIQ LLC and is valid for BAA execution with dental and medical practices. Any material change to these controls will update the "effective" date and be disclosed to active customers within 30 days.

Christian Garcia
Security Officer, PracticeIQ LLC
christian@practiceiq.tech