Book a Demo
Agents Platform Pricing BPO Partners Roadmap About Login

HIPAA Compliance

How ClaimVise protects PHI.

ClaimVise is built for healthcare. Every layer of the platform — agents, storage, audit trail, AI inference — operates under HIPAA-eligible infrastructure with cryptographic integrity verification. This page documents our compliance posture in detail.

Business Associate Agreement.

ClaimVise signs a Business Associate Agreement (BAA) with every customer that processes Protected Health Information (PHI) through our platform. The BAA documents our obligations under HIPAA's Privacy Rule (45 CFR Part 164 Subpart E), Security Rule (Subpart C), and Breach Notification Rule (Subpart D).

Our infrastructure operates under an executed AWS Business Associate Addendum, signed May 22, 2026 between Innodel Technologies Pvt Ltd and Amazon Web Services. All Claude inference routes through AWS Bedrock under that BAA, meaning PHI never leaves a HIPAA-eligible AWS region during AI processing.

Technical safeguards.

Encryption in transit

All connections to ClaimVise use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age and the includeSubDomains directive. We use modern cipher suites with forward secrecy.

Encryption at rest

Database storage is encrypted using AES-256 at the volume level via AWS Key Management Service. File uploads (clinical notes, MAR data, attachments) are encrypted at rest in object storage with server-side encryption enabled by default. Backup snapshots inherit the same encryption.

Audit trail with cryptographic integrity

Every PHI access event, every agent decision, every supervisor override, and every claim modification is logged with a SHA-256 integrity hash computed over the canonical representation of the event. On every read of an audit record, the hash is recomputed and verified. A mismatch is treated as evidence of tampering and is escalated to a security incident.

This satisfies HIPAA §164.312(b) (Audit controls) and §164.312(c)(1) (Integrity).

Access control

All user access uses JWT-based authentication with a 60-minute token expiry. Login endpoints are rate-limited to prevent credential stuffing. We enforce a 4-layer multi-tenant isolation: System, BPO, Practice, and User. No user can access PHI belonging to another tenant under any condition.

This satisfies §164.312(a) (Access control) and §164.312(d) (Person or entity authentication).

File upload validation

Every file uploaded to the platform is validated by magic-byte signature, not by file extension. Files claiming to be PDFs that do not match the PDF magic bytes are rejected before reaching processing. This prevents extension-based attacks and ensures the file pipeline only ingests genuine clinical documents.

Administrative safeguards.

Innodel Technologies maintains documented policies covering workforce training on PHI handling, access provisioning and de-provisioning procedures, incident response, and breach notification. Active customers can request a copy of our compliance documentation package on request.

Physical safeguards.

All physical infrastructure runs on AWS in HIPAA-eligible regions. AWS data centers are physically secured to SOC 2, ISO 27001, and PCI DSS standards, with controlled access, surveillance, and environmental controls.

Workforce.

All Innodel Technologies personnel with potential PHI access sign individual confidentiality agreements and complete HIPAA awareness training before access is granted. We maintain a minimum-necessary access principle: developers do not access production PHI for support unless explicitly authorized for a specific incident, and all such access is logged with the same audit trail used for customer access.

Breach notification.

In the event of a security incident that may have compromised PHI, ClaimVise notifies affected customers without unreasonable delay and in no case later than 60 days from discovery, in accordance with §164.410 (Notification by a business associate). Customers retain responsibility for individual notifications to affected patients under §164.404.

Roadmap.

SOC 2 Type 2 attestation: in scope for Q1 2027. HITRUST certification: in scope for Q3 2027.

Contact.

For compliance questions, BAA execution, or to request our compliance documentation package, contact chirag@innodel.com with "HIPAA" in the subject line.