HIPAA SECURITY STANDARD

HIPAA Compliance

Detailing the rigorous technological, physical, and administrative safeguards that isolate and secure medical records.

Security and compliance are the foundational core of the BillingClaw claim recovery platform. Every line of backend code, server architecture parameter, and clearinghouse connection pipeline is engineered to meet or exceed the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules.

1. Modern Encryption Standards

All Protected Health Information (PHI) is isolated and encrypted at every stage of the lifecycle:

  • Data In Transit: Enforced HTTPS/TLS 1.3 encryption protocols for all incoming API connections, EHR integration calls, and outgoing EDI transmissions to clearinghouse gateways.
  • Data At Rest: Databases and backups reside inside AWS isolated instances utilizing robust encryption keys. High-risk database credentials and provider API keys are dynamically encrypted via Fernet cryptographic structures before database persistence.

2. Stringent Access Controls

Access to medical tables and account credentials is gated under strict "least privilege" principles and isolated role structures:

  • Database Schema Isolation: Enforced absolute tenant segregation. Every Provider partner's claims, audit logs, and EHR configuration rules are physically isolated inside an independent, tenant-specific schema (`tenant_uuid`). Cross-tenant access is structurally impossible.
  • Two-Factor Authentication (2FA): Mandatory 2FA TOTP verification codes sent via SES email for all administrative and billing console login flows. Account access is blocked after 5 failed authentication attempts to prevent brute-force attacks.
  • Role-Based Restriction Guards: Custom backend middlewares enforce role permissions. For example, `manager` role tier users are programmatically blocked from executing claim rejection or manual database writes.

3. Automated Immutable Audit Logging

BillingClaw maintains an active, detailed audit trail of all data read and write operations. Every claim correction, EDI submission, user login, and settings adjustment generates an audit log recording:

  • The exact date and time (UTC) of the action.
  • The specific user ID, administrative role, and source IP address.
  • Comprehensive descriptions of what values were modified (e.g. modifier adjustments, prior auth attachments).

Audit logs are stored in write-once-read-many (WORM) parameters, preventing alteration or deletion to maintain complete forensic integrity.

4. Incident Response & Monitoring

We execute real-time security logging and performance anomaly alerts. In the highly unlikely event of a potential security exception, our dedicated Security Incident Response Team (SIRT) immediately engages:

  • Systematic containment and mitigation of potential database anomalies.
  • Forensic analysis of immutable audit logs to determine the exact scale of the event.
  • Execution of all notification requirements under HIPAA breach notification rules within contractual timelines.

5. Employee Training & Administrative Policies

BillingClaw personnel never have direct access to patient health data. Our administrative policies require:

  • Mandatory annual HIPAA privacy and cybersecurity training for all staff members.
  • Comprehensive background checks prior to onboarding new engineers or system operators.
  • Strict enforcement of isolated sandbox databases for development and staging purposes. Production medical data is never accessible in test systems.

6. Compliance Verification

For further details on our security posture, standard BAA documentation, or compliance certifications, please contact our HIPAA officer at:

BillingClaw Compliance Office
Email: hello@billingclaw.io