HIPAA isn't a checkbox for us — it's the foundation DocSuite was built on. Every architectural decision, every feature, every employee policy is designed to keep Protected Health Information safe.
HIPAA Compliant
Business Associate Agreement available
SOC 2 Type II
Annual third-party security audit
GDPR Ready
SCCs in place for EU data transfers
AES-256 Encrypted
Military-grade encryption at rest
TLS 1.3
Strongest transport encryption
ISO 27001 (AWS)
Certified infrastructure provider
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets national standards for the protection of patients' medical information — called Protected Health Information (PHI).
Any software platform that stores, processes, or transmits PHI on behalf of a healthcare provider is legally required to meet HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.
Non-compliance carries fines of up to $1.9 million per violation category per year — and criminal penalties for wilful neglect.
Privacy Rule
Governs who can access PHI and under what circumstances — including patient rights to access their own records.
Security Rule
Requires administrative, technical, and physical safeguards to protect electronic PHI (ePHI).
Breach Notification Rule
Mandates timely notification to patients, HHS, and sometimes media in the event of a PHI breach.
Enforcement Rule
Establishes how HHS investigates complaints and imposes civil and criminal penalties for violations.
HIPAA requires protections at three levels. Here's exactly how DocSuite addresses every requirement.
6 controls implemented
AES-256 Encryption at Rest
All PHI stored in encrypted form using AES-256-GCM. Encryption keys are rotated quarterly and managed in AWS KMS.
TLS 1.3 in Transit
Every byte of data between your browser, our servers, and third-party sub-processors travels over TLS 1.3 with perfect forward secrecy.
Unique User Authentication
Every account requires email verification and supports multi-factor authentication (MFA). Shared credentials are never permitted.
Automatic Session Timeout
Sessions automatically expire after 30 minutes of inactivity to prevent unauthorised access on shared or unattended devices.
Audit Logs
Every access to PHI is logged with user ID, timestamp, and action type. Logs are immutable, retained for 7 years, and available to administrators on request.
Emergency Access Procedure
A documented emergency access procedure ensures authorised personnel can access PHI in urgent situations while maintaining full audit trails.
6 controls implemented
Designated Privacy Officer
DocSuite maintains a designated HIPAA Privacy Officer responsible for overseeing policy development, staff training, and compliance.
Staff Training
All employees with access to PHI complete HIPAA privacy and security training upon hire and annually thereafter. Completion is documented and audited.
Business Associate Agreements
We execute signed BAAs with every sub-processor that handles PHI. A BAA between DocSuite and your practice is available upon request.
Access Management Policy
Strict role-based access control (RBAC) ensures employees only access data necessary for their job function. Access reviews are conducted quarterly.
Breach Notification
In the event of a breach, we will notify you within 60 days as required by the HIPAA Breach Notification Rule, and within 72 hours for breaches affecting EU residents (GDPR).
Risk Assessments
We conduct comprehensive annual risk assessments and address identified vulnerabilities through documented risk management plans.
4 controls implemented
Secure Data Centres
All infrastructure runs on AWS data centres certified to ISO 27001, SOC 2 Type II, and HIPAA Security Rule standards, with 24/7 physical security.
Geographic Data Control
By default, PHI is stored in the US (us-east-1). Enterprise customers can elect EU (eu-west-1) or other regions to meet local data residency requirements.
Workstation Policies
All DocSuite employee workstations are encrypted, have remote wipe capability, and are managed via MDM with enforced security policies.
Visitor Access Controls
Office and data centre access requires badge authentication. Visitor access is logged and supervised at all times.
A Business Associate Agreement (BAA) is a legally required contract between you (the Covered Entity) and DocSuite (the Business Associate). It formalises our mutual HIPAA obligations. Our BAA:
Growth and Professional customers can request a BAA by emailing legal@docsuite.app. We will return a fully executed copy within 2 business days. Enterprise customers receive a BAA as part of their onboarding contract.
Every sub-processor that handles PHI has a signed BAA with DocSuite.
Amazon Web Services
Cloud infrastructure & storage
HIPAA BAA signed
Stripe
Payment processing
PCI DSS Level 1 · HIPAA BAA signed
Twilio
SMS reminders & WhatsApp
HIPAA BAA signed
Cloudflare
CDN & DDoS protection
HIPAA BAA signed
Postmark
Transactional email
HIPAA BAA signed
OpenAI / Anthropic
AI features (API only)
DPA signed · no model training on PHI
Every DocSuite plan is built on HIPAA-compliant infrastructure. Your data and your patients' data are protected from day one — no additional configuration required.