Security Model

HIPAA-compliant security architecture.

HIPAA Compliance

What IntakePilot Provides

✅ Technical Safeguards:

Field-level PHI encryption
Comprehensive audit logs (all access tracked)
Row-level security (clinic isolation)
Secure authentication (JWT tokens)
HTTPS only
Session timeouts (15 min)
Automatic logout on inactivity

✅ Administrative Safeguards:

Role-based access control
User management system
Audit log reporting
Access termination process

What You Must Provide

Your organization’s responsibility:

Sign BAA with hosting providers
Train staff on HIPAA compliance
Document security procedures
Maintain incident response plan
Conduct security risk assessments
Manage user access appropriately

Access Control

Clinic Isolation

How it works:

Every user belongs to one clinic
RLS enforces clinic_id on all queries
Users cannot see other clinics’ data
Enforced at database level (cannot be bypassed)

Exception: Superadmin role can access all clinics.

Role-Based Access

Three roles with different permissions:

Admin

All staff permissions
Add/remove users
View all audit logs
Change system settings
Delete data

Staff

Add patients
Assign forms
Review submissions
Generate AI summaries
Approve/reject intakes
View own audit logs

Referrer

View patient list
View submissions
No create/edit/delete

Encryption

In Transit

TLS 1.3 everywhere
No unencrypted connections allowed
HTTPS enforced by Cloudflare
Certificate auto-renewal

At Rest

Database encryption:

PostgreSQL encryption at rest
Encrypted backups
Encrypted snapshots

Field-level encryption:

PHI fields in JSONB
Contact information encrypted
Form data encrypted
Additional encryption layer available

Backups

Daily automated backups
7-day retention (configurable)
Encrypted at rest
Point-in-time recovery available

Authentication

JWT Tokens

Issued by Keycloak
RS256 algorithm
Short-lived (15 minutes)
Includes user_id, clinic_id, role
Validated on every request

Password Policy

Requirements:

Minimum 8 characters
Recommended: mix of letters/numbers/symbols
No reuse of last 5 passwords (future)

Storage:

Hashed with bcrypt
Never stored in plaintext
Never logged

Session Management

15-minute idle timeout
Auto-logout on timeout
Session token in sessionStorage (not localStorage)
One active session per user
Session invalidated on logout

Multi-Factor Authentication

Not yet implemented.

Coming in future version.

Audit Logging

What Gets Logged

Every action with PHI:

Who accessed what
When (timestamp)
What action (read/create/update/delete)
From where (IP address)
Using what (browser/device)
In which clinic

Log Characteristics

Immutable: Cannot be edited or deleted
Retention: 7 years (HIPAA requirement)
Access: Admin only
Export: CSV format for audits

Log Security

Append-only table
No UPDATE or DELETE permissions
Separate from operational data
RLS enforced
Regular backups

Incident Response

If PHI Breach Suspected

Document immediately
- Who discovered it
- What data potentially exposed
- When discovered
- How discovered
Preserve evidence
- Export relevant audit logs
- Save system logs
- Document timeline
Notify admin team
- Escalate immediately
- Provide documentation
- Follow incident response plan
Follow HIPAA breach notification
- Notify affected individuals (if >500)
- Notify HHS
- Document response

Breach Notification Timeline

<500 people: Annual notification to HHS
≥500 people: 60-day notification to HHS and media
Always notify affected individuals without unreasonable delay

Data Retention

Active Data

Patients: Indefinite (until explicitly deleted)
Submissions: Indefinite
Users: Until deactivated
Audit logs: 7 years minimum

Deleted Data

When data is deleted:

Marked as deleted (soft delete)
Preserved for audit trail
Not shown in UI
Can be hard-deleted after retention period

Network Security

Cloudflare Protection

DDoS protection
Web Application Firewall (WAF)
Bot protection
Rate limiting
SSL/TLS termination

IP Allowlisting

Not currently implemented.

Can be added for additional security.

API Security

Authentication

JWT required on all endpoints
Token validated on each request
Expired tokens rejected

Rate Limiting

100 requests/min per user
Tracked in KV store
429 response when exceeded

Input Validation

All inputs validated
SQL injection prevention (parameterized queries)
XSS prevention (sanitized output)
CSRF protection

CORS

Allowed origins configured
No wildcard CORS
Credentials not allowed cross-origin

Database Security

Connection Security

WebSocket over TLS
No public access
Connection string in environment only

Query Security

Parameterized queries only
No string concatenation
RLS enforced on all tables
Session context validated

User Permissions

Application user has limited permissions
No DROP or TRUNCATE
No direct admin access
All changes via migrations

Vulnerability Management

Updates

Dependencies updated monthly
Security patches applied immediately
Change log maintained

Scanning

Dependency vulnerability scanning
Code security analysis (planned)
Penetration testing (planned)

Disclosure

Security issues: Email security team
Response within 48 hours
Coordinated disclosure preferred

Compliance Checklist

For your organization:

Future Security Enhancements

Planned additions:

Multi-factor authentication (MFA)
IP allowlisting
Advanced threat detection
Anomaly detection in audit logs
Automated security alerts
SOC 2 compliance
HITRUST certification