HIPAA
Security and Privacy Rule controls under 45 CFR §164.
42 CFR Part 2
Substance use disorder data with explicit consent + re-disclosure.
BAA / DPA
Business Associate Agreement + Data Processing Addendum.
Sub-processors
Current sub-processor list.
Data Residency
US, EU, and customer-VPC options.
Encryption
AES-256 at rest, TLS 1.3 in transit.
Audit Logging
WORM audit + Merkle integrity.
Row-Level Security
Tenant isolation at the database layer.
Certification posture
What’s next
HIPAA controls
Section-by-section implementation.
42 CFR Part 2
SUD data controls.
Encryption
Keys, rotation, KMS.
Audit Logging
WORM audit details.