Our HIPAA Posture
HIPAA compliance isn't a checkbox — it's an architecture decision. YourAI was designed with the assumption that every piece of data flowing through the system could be PHI, so every layer of the stack enforces the same protections whether you're a law firm or a hospital system.
BAA Availability
YourAI executes Business Associate Agreements (BAAs) with healthcare customers on Professional tier and above. Our BAA template is available for review during onboarding.
Safeguards
Technical Safeguards
AES-256 encryption at rest, TLS 1.3 in transit, per-org KMS keys, MFA via AWS Cognito, automatic session timeout, row-level security isolation.
Administrative Safeguards
Designated security officer, annual risk assessments, employee training, incident response procedures, vendor security reviews for all AI providers.
Physical Safeguards
AWS data centers with SOC 2 + ISO 27001 + FedRAMP certifications. No on-premise data storage. All infrastructure in US regions.
PHI Data Flow
When a healthcare organization uses YourAI, PHI follows a strict path: uploaded to per-org encrypted S3 buckets, processed through our private AI pipeline with zero retention at the provider level, and results stored exclusively within the organization's isolated database partition. No PHI ever reaches shared storage, training datasets, or third-party analytics.
HIPAA Regulation Mapping
| HIPAA Section | Requirement | YourAI Implementation |
|---|---|---|
| § 164.312(a) | Access Control | 4-role RBAC with RLS, Cognito MFA, session management |
| § 164.312(c) | Integrity Controls | Immutable audit logs, S3 Object Lock, checksums on all uploads |
| § 164.312(d) | Person Authentication | Email + MFA, per-device session tokens, IP logging |
| § 164.312(e) | Transmission Security | TLS 1.3 everywhere, VPC endpoints for AWS services |
| § 164.308(a)(1) | Risk Analysis | Annual risk assessment, penetration testing, vulnerability scanning |
| § 164.310(d) | Device & Media Controls | No local storage — all data in AWS with automated lifecycle policies |