HIPAA Compliance

1.Our Commitment to HIPAA

At Dox2Dox, HIPAA compliance is not an afterthought — it is foundational to everything we build. As a Business Associate under HIPAA, we are committed to protecting the privacy and security of Protected Health Information (PHI) entrusted to us by healthcare organizations and professionals. Our platform is designed from the ground up with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in mind, ensuring that every feature, process, and infrastructure component meets or exceeds regulatory requirements.

2.Administrative Safeguards

We maintain comprehensive administrative safeguards including:

• Security Officer: A designated Security Officer responsible for the development and implementation of our security policies and procedures
• Privacy Officer: A designated Privacy Officer responsible for the development and implementation of our privacy policies and procedures
• Workforce Training: All employees and contractors undergo comprehensive HIPAA training upon hiring and annually thereafter, with additional training for any significant policy changes
• Access Management: Role-based access controls ensure that workforce members only have access to the minimum PHI necessary to perform their job functions
• Sanction Policy: Clear policies and procedures for addressing workforce members who violate security or privacy policies
• Risk Analysis: Regular and comprehensive risk analyses to identify potential threats and vulnerabilities to ePHI

3.Physical Safeguards

• Facility Access Controls: Our infrastructure is hosted in SOC 2 Type II certified data centers with 24/7 physical security, biometric access controls, and video surveillance
• Workstation Security: All employee workstations are encrypted, require strong authentication, and are configured with automatic screen locks and remote wipe capabilities
• Device Controls: Strict policies govern the use of removable media and mobile devices. All company devices are managed through a Mobile Device Management (MDM) solution
• Media Disposal: Electronic media containing ePHI is securely wiped or physically destroyed before disposal or re-use, following NIST SP 800-88 guidelines

4.Technical Safeguards

• End-to-End Encryption: AES-256 encryption ensures that only the sender and intended recipients can read message content
• Access Controls: Unique user identification, automatic logoff, role-based permissions, and multi-factor authentication
• Audit Controls: Comprehensive logging of all system activity, including user authentication, data access, and administrative actions
• Integrity Controls: Mechanisms to verify that ePHI has not been improperly altered or destroyed, including checksums and digital signatures
• Transmission Security: TLS 1.3 for all data in transit, with certificate pinning for mobile applications
• Encryption at Rest: All stored data is encrypted using AES-256 with regularly rotated keys

5.End-to-End Encryption Details

Our end-to-end encryption implementation ensures the highest level of data protection:

• Algorithm: AES-256-GCM for symmetric encryption of message content and file transfers
• Key Exchange: Secure key exchange using modern asymmetric cryptography protocols
• Key Management: Encryption keys are generated on-device and never leave the user's device. Keys are stored in the device's secure enclave or keystore
• Perfect Forward Secrecy: Session keys are regularly rotated so that compromise of a single key does not affect past or future communications
• Zero-Knowledge Architecture: Dox2Dox servers never have access to encryption keys or plaintext message content. Even in the event of a server compromise, data remains encrypted and unreadable

6.AI Clinical Assistant & PHI

Our AI clinical assistant, Inara, is designed with privacy by default:

• No PHI Storage: Inara does not store patient-identifiable information. Queries are processed in real-time and discarded after generating a response
• No Model Training on PHI: Patient data is never used to train, fine-tune, or improve AI models
• Isolated Processing: AI processing occurs within our HIPAA-compliant infrastructure with strict network segmentation
• Audit Trail: All AI interactions are logged for compliance auditing purposes (metadata only, not content)
• User Control: Healthcare professionals maintain full control over what information, if any, they share with Inara

7.Breach Notification Procedures

In the event of a breach of unsecured PHI, Dox2Dox will:

• Investigate and contain the breach immediately upon discovery
• Notify affected Covered Entities without unreasonable delay and no later than sixty (60) days after discovery
• Provide all information required under 45 CFR § 164.410, including the nature of the breach, types of PHI involved, and steps taken to mitigate harm
• Cooperate with Covered Entities in their notification obligations to affected individuals and the HHS Secretary
• Conduct a thorough post-incident review and implement corrective actions to prevent recurrence
• Document all aspects of the breach, investigation, and response for a minimum of six (6) years

8.Business Associate Agreements

Dox2Dox enters into Business Associate Agreements (BAAs) with all Covered Entities that use our platform. We also maintain BAAs with our own subcontractors and service providers who may have access to PHI. Our BAA outlines the permitted uses and disclosures of PHI, our security obligations, breach notification procedures, and termination provisions. You can review our standard BAA on the BAA page.

9.Employee Training & Awareness

• All employees complete comprehensive HIPAA training within 30 days of hiring
• Annual refresher training is mandatory for all team members
• Role-specific training is provided for employees with access to PHI or critical systems
• Regular phishing simulations and security awareness campaigns
• Documented training records maintained for a minimum of six (6) years

10.Regular Audits & Risk Assessments

• Annual comprehensive risk assessments in accordance with NIST Cybersecurity Framework
• Regular internal security audits and code reviews
• Annual third-party penetration testing by qualified security firms
• Continuous vulnerability scanning and patch management
• Periodic review and update of all security policies and procedures
• SOC 2 Type II certification maintained and audited annually

11.Data Backup & Disaster Recovery

• Automated, encrypted backups performed daily with geographically distributed storage
• Recovery Point Objective (RPO) of less than 24 hours and Recovery Time Objective (RTO) of less than 4 hours
• Disaster recovery plan tested and validated at least twice annually
• Multi-region infrastructure with automatic failover capabilities
• Business continuity plan reviewed and updated annually

12.Contact Information

For questions about our HIPAA compliance practices or to report a potential security concern: