Introduction
Elevasis is dedicated to enhancing the administrative operations of Small to Medium-sized Business (SMB) health clinics and practices through AI-powered automation. Our proprietary platform, Agentflow, is engineered from the ground up with HIPAA compliance at its core. Agentflow empowers healthcare professionals to create, manage, and deploy secure automations for administrative tasks, ensuring that efficiency gains never compromise patient data protection. We are committed to providing solutions that meet the rigorous standards required for handling Protected Health Information (PHI).
Business Associate Agreements (BAAs)
As a partner to healthcare providers handling Protected Health Information (PHI), Elevasis understands its obligations as a Business Associate under HIPAA. We are fully prepared to enter into a Business Associate Agreement (BAA) with any covered entity (such as clinics, practices, or other healthcare providers) utilizing our services.
This agreement formally outlines our commitment and responsibilities, as well as yours, for safeguarding PHI in accordance with HIPAA regulations. Executing a BAA is a critical step in ensuring compliance when leveraging third-party services for functions involving patient data. We make this process straightforward to provide you with the necessary assurances and documentation.
Technical Safeguards: Protecting Your Data
Agentflow incorporates robust technical measures designed to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI).
Access Controls: We enforce strict access controls through Unique User Identification, Role-Based Access Control (RBAC), and granular Access Control Lists (ACLs). This ensures users only access the information necessary for their roles. Automatic logoff procedures are implemented to prevent unauthorized access on unattended sessions.
Audit Controls: Comprehensive audit logs track critical system activities, including user logins, data access (Read), modifications (Create, Update, Delete), and administrative changes, providing accountability and traceability.
Data Encryption: All data, including potential ePHI, is encrypted both in transit (using TLS 1.3) and at rest (using AES-256 or equivalent strong encryption), protecting it from unauthorized access whether it's moving across networks or stored in our systems.
Integrity Controls: Measures like database constraints, atomic transactions, and strict RBAC prevent accidental or malicious alteration or destruction of ePHI.
PHI Handling: Mechanisms are in place for users to appropriately flag data elements that constitute PHI, enabling features like targeted data redaction in system logs where appropriate.
Network Security: Critical integrations, such as with Azure OpenAI, utilize private network endpoints, ensuring sensitive data processing does not traverse the public internet and reducing the overall attack surface. Additional cybersecurity measures (e.g., CORS, rate limiting, security headers) are enforced.
Data Retention & Deletion: Secure data handling includes defined retention periods (aligned with HIPAA's 6-year requirement where applicable) and processes for secure data deletion (including soft deletion for recovery and hard deletion where appropriate).
Administrative Safeguards: Policies and Procedures
Elevasis maintains comprehensive administrative policies and procedures to ensure consistent and compliant operations:
Documented Policies: We have established and maintain key HIPAA-related policies covering areas such as Workstation Security, Access Control, Incident Response, Data Backup, Risk Analysis, Minimum Necessary access, Patient Rights, Acceptable Use, Workforce Training, and Business Associate Agreement Management.
Security Management: We are committed to ongoing Security Risk Analysis and Risk Management processes to proactively identify and mitigate potential threats and vulnerabilities to ePHI.
Workforce Training: Our team members receive training on HIPAA requirements and our internal security and privacy policies relevant to their roles (as defined in ELV-HIPAA-ADM-002).
Incident Response: A documented Incident Response Plan outlines the steps to be taken in the event of a security incident or data breach, ensuring timely detection, containment, and notification.
Business Associate Agreements (BAAs): We maintain BAAs with all necessary subcontractors (including cloud providers like Microsoft Azure, Supabase, and Google Cloud Platform) who may come into contact with PHI, ensuring they also adhere to HIPAA standards.
Physical Safeguards: Secure Infrastructure
While Elevasis operates primarily in the cloud, appropriate physical safeguards are addressed:
Cloud Provider Security: We leverage the robust physical security controls provided by our cloud partners (Microsoft Azure, Supabase, GCP) at their secure data centers. These responsibilities are outlined in our BAAs with these providers.
Workstation Security: All local workstations used to access Elevasis systems containing or managing potential ePHI are secured according to our formal Workstation Use and Security Policy (ELV-HIPAA-SEC-001).
Secure Code Management: Our platform source code is maintained in private repositories with strict access controls, MFA (where applicable), and secure coding practices to prevent embedding PHI or secrets.
Upholding Privacy Principles
Our platform and policies are designed to align with the HIPAA Privacy Rule:
Minimum Necessary: Technical controls like RBAC and ACLs, along with administrative policies, enforce the principle of limiting PHI access and use to the minimum necessary to accomplish the intended purpose.
Patient Rights: We have documented procedures (ELV-HIPAA-PRIV-002) to support our clients (Covered Entities) in fulfilling patient rights requests related to PHI handled by our systems, such as requests for access or amendment where applicable under our role as a Business Associate.
Our Ongoing Commitment
HIPAA compliance is not a one-time event but an ongoing commitment. Elevasis continuously monitors its systems, regularly reviews and updates its policies and procedures, performs periodic risk assessments, and ensures our team remains vigilant in protecting the sensitive data entrusted to us and our platform. We strive to be a trusted partner in helping healthcare practices achieve efficiency through automation while maintaining the highest standards of security and compliance.
Contact Us
For any questions about this Privacy Policy or our practices, please contact us at contact@elevasis.io