A signed BAA, zero-retention mode, immutable audit logs, and a breach-notification workflow we actually rehearse. Everything a covered entity or business associate needs to use SmartScanPro for regulated workloads.
We execute BAAs with covered entities and with business associates who are themselves acting on behalf of a covered entity. Our standard BAA tracks the OCR model agreement and has been reviewed by privacy counsel at several top-10 US health systems.
Permitted uses and disclosures, safeguards, reporting, subcontractor obligations, PHI return or destruction on termination, breach notification within 24 hours of discovery, and compliance audit rights. No surprise carve-outs.
Every piece of PHI that enters our system is encrypted in transit, encrypted at rest, scoped to your workspace, and purged on the schedule you configured — without exception.
PHI enters over TLS 1.3 at a region-pinned load balancer (us-east-1 or eu-west-1). Request bodies are decrypted only inside the scan worker's memory and are never logged in plaintext.
Vitals extraction and OCR run in stateless workers that hold the payload for the duration of the call and nothing longer. Workers run in private subnets with no egress to the public internet except the return path to your caller.
If you have retention enabled, the extracted JSON is stored in a per-tenant Postgres schema with AES-256 encryption and per-row envelope encryption for PHI columns. Raw images, if retained, go to a per-tenant S3 prefix.
Default 30 days on paid tiers. Zero-retention mode is available — the scan result is streamed back, nothing is persisted. Custom TTLs from 1 hour to 7 years can be configured at the workspace level.
Deletion is cryptographic where we can and physical where we can't. Records marked for deletion are cleared from live storage within 15 minutes and purged from encrypted backups within 30 days.
We ask only for the fields the API needs to answer your request. Patient identifiers you attach are opaque to us — you pick the format, we store it as a string, we never attempt to link it to anything external.
Three built-in modes cover the common HIPAA workflows. Pick one per workspace, override per request if you need to.
The request body and all derived data are discarded the moment the response is sent. Nothing is written to disk. Audit log records the call without its content.
StrictestKeep PHI for a finite window (1 hour to 7 years) to support asynchronous workflows or retrospective review. TTL is enforced at the storage layer — expired records are unreadable even if bugs exist in the application.
FlexibleFor research and population-health use cases we strip all 18 HIPAA identifiers per 45 CFR 164.514(b)(2) before storage. The resulting dataset is no longer PHI and can be used for analytics inside your workspace.
ResearchAudit logs are append-only, cryptographically signed, and replicated to a write-once-read-many object store. We retain them for 7 years by default to cover the longest HIPAA documentation obligation.
On discovery of a suspected breach we notify affected covered entities within 24 hours — faster than the 60-day HIPAA statutory floor. Notification includes scope, affected records, remediation, and the postmortem timeline.
Every SmartScanPro employee and long-term contractor completes HIPAA training on hire and annually thereafter. Role-specific training (engineering, support, customer success) is layered on top. Completion is tracked and audit-ready.
Quarterly formal risk analysis per 45 CFR 164.308(a)(1)(ii)(A), with asset inventory, threat modelling, likelihood-impact scoring, and a remediation plan. The summary report is available to BAA customers under NDA.
Tell us a little about your workload and we'll send our standard BAA for your counsel to review. If you have your own paper, attach it and we'll redline.