HIPAA Compliance
ReasonTele is designed from the ground up to meet and exceed HIPAA requirements. We implement comprehensive technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of protected health information.
Technical Safeguards
Our platform implements multiple layers of technical controls to protect PHI throughout its lifecycle.
Encryption at Rest
All data is encrypted at rest using AES-256. Database storage, file attachments, backups, and logs are encrypted with keys managed through AWS Key Management Service (KMS).
Encryption in Transit
All network traffic is encrypted with TLS 1.3. Video streams use SRTP for end-to-end media encryption. Internal service-to-service communication uses mutual TLS.
Access Controls
Role-based access control (RBAC) ensures users only access data necessary for their role. Permissions are defined per facility, service line, and function.
Multi-Factor Authentication
MFA is required for all platform users. We support TOTP (authenticator apps) and WebAuthn (hardware security keys like YubiKey) for strong authentication.
Audit Logging
Every action on the platform is logged with timestamps, user identity, IP address, and action details. Audit logs are immutable and retained for a minimum of six years.
Session Management
Sessions automatically expire after configurable inactivity periods. Concurrent session limits prevent unauthorized sharing. Emergency session termination is available for administrators.
Network Security
The platform runs in a private VPC with network segmentation. Public-facing endpoints are protected by WAF rules and DDoS mitigation. All ingress and egress traffic is monitored.
Vulnerability Management
We perform continuous vulnerability scanning, dependency auditing, and regular penetration testing. Critical vulnerabilities are patched within 24 hours of identification.
Data Backup & Recovery
Automated encrypted backups are performed daily with point-in-time recovery capability. Backups are stored in a separate AWS region for disaster recovery.
Administrative Safeguards
Technical controls alone are not sufficient. We maintain rigorous administrative policies and procedures to ensure compliance across our organization.
Business Associate Agreement (BAA)
We execute a BAA with every healthcare facility customer before any PHI is transmitted through the platform. Our BAA defines obligations, permitted uses, breach notification procedures, and termination requirements in compliance with 45 CFR 164.502(e) and 164.504(e).
Employee Training
All ReasonTele employees complete HIPAA training upon hire and annually thereafter. Training covers the Privacy Rule, Security Rule, and Breach Notification Rule, as well as company-specific policies and incident response procedures.
Incident Response
We maintain a documented incident response plan that includes identification, containment, eradication, and recovery procedures. In the event of a breach involving PHI, we comply with the HIPAA Breach Notification Rule, including notification to affected individuals, the HHS Secretary, and media outlets when required.
Risk Analysis
We conduct a comprehensive security risk analysis annually, identifying threats and vulnerabilities to PHI, assessing the likelihood and impact of each risk, and implementing appropriate mitigations. Risk analysis findings are reviewed by leadership and drive our security improvement roadmap.
Workforce Clearance
All employees with access to PHI undergo background checks. Access to production systems is limited to essential personnel and reviewed quarterly. Terminated employees have access revoked immediately.
Vendor Management
All third-party vendors that may access PHI are evaluated for HIPAA compliance. We execute BAAs with subcontractors and review their security posture annually. Our primary infrastructure provider (AWS) maintains HIPAA eligibility and SOC 2 Type II certification.
Physical Safeguards
ReasonTele infrastructure is hosted entirely on Amazon Web Services, which provides robust physical security controls for its data centers.
AWS SOC 2 Type II
Our infrastructure runs on AWS, which maintains SOC 2 Type II certification, demonstrating the effectiveness of security controls over an extended audit period.
HITRUST CSF
AWS data centers are HITRUST CSF certified, the most widely adopted healthcare security framework in the industry.
Data Center Security
AWS data centers feature multi-layer physical security including perimeter fencing, security guards, biometric access, video surveillance, and environmental controls.
Geographic Controls
All PHI is stored and processed within US-based AWS regions. Data does not leave the United States. Customers can specify the AWS region for their data.
Compliance Summary
Full compliance with Privacy, Security, and Breach Notification Rules
Infrastructure hosted on SOC 2 certified AWS
Executed with every customer before PHI access
Annual third-party penetration testing
Request Our Business Associate Agreement
Ready to evaluate ReasonTele for your organization? Contact us to receive our standard BAA and discuss your compliance requirements.