HIPAA readiness

HIPAA compliance is a shared responsibility between you and your vendors. This page describes how we typically support regulated workloads. It does not constitute legal advice; confirm your use cases with counsel and execute a Business Associate Agreement (BAA) where required.

When a BAA is required

If you are a covered entity or business associate under HIPAA and you create, receive, maintain, or transmit PHI through our services, you will generally need a BAA with Justransform before putting PHI into production environments.

What we provide

• A standardized Business Associate Agreement that allocates responsibilities for safeguarding PHI in line with the HIPAA Security and Breach Notification Rules, subject to legal review on both sides;
• Administrative and technical safeguards appropriate to a cloud integration platform — access controls, encryption in transit, logging and monitoring, subprocessors governed by written agreements, and documented incident response procedures;
• Assurance artifacts such as SOC 2 Type II (where available) to complement HIPAA due diligence — see SOC 2 Type II.

Your responsibilities

You are responsible for:

• Configuring integrations so PHI is minimized, encrypted, and accessed only by authorized workforce members;
• Maintaining accurate BA relationships downstream (e.g. with your trading partners or subprocessors);
• Conducting your own risk analysis and workforce training;
• Notifying us without undue delay if you suspect unauthorized access to PHI in the services.

Next steps

To discuss HIPAA alignment or request a BAA template, contact us through Request access and reference HIPAA / BAA in your submission.