Legal

HIPAA Compliance

How AMAH approaches HIPAA, the BAA we sign with customers, and the safeguards we apply to PHI on the platform.

Effective date: May 2, 2026

Placeholder notice: this document is scaffolding while counsel finalizes the real text. Don't rely on specific provisions until this banner is removed.

1. Our role

When AMAH processes Protected Health Information (PHI) on behalf of a covered entity or business associate, AMAH acts as a business associate under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (the HIPAA Rules).

2. Business Associate Agreement

AMAH offers a Business Associate Agreement (BAA) to customers who store or transmit PHI through the platform. The BAA is signed before go-live and is required for any production use that involves PHI.

Our standard BAA covers the use, disclosure, and safeguarding of PHI, breach notification obligations, subcontractor flow-down, and termination obligations consistent with HIPAA.

3. Administrative safeguards

Designated Security Official with documented responsibility for the AMAH security program.

Workforce security policies including background checks, role-based access, and offboarding within one business day.

Documented incident response plan with periodic tabletop exercises.

Annual privacy and security training for personnel with access to PHI or PHI systems.

4. Technical safeguards

Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256) including database, file storage, and backups.

Authentication via password + MFA, with optional SSO (SAML / OIDC) for enterprise customers.

Authorization enforced at API and UI layers using a 9-role RBAC model with audit-trailed permission grants.

Immutable audit logging on actions touching PHI, queryable through an Auditor role.

5. Physical safeguards

Production infrastructure runs on cloud providers with SOC 2 Type II and HITRUST attestations.

Workforce access to PHI requires AMAH-managed devices with disk encryption and remote-wipe capability.

6. Breach notification

In the unlikely event of a breach involving PHI, AMAH will notify affected customers without unreasonable delay and in no case later than the timelines required by the BAA and applicable law.

7. Subcontractors

AMAH uses a small set of subcontractors (cloud hosting, email delivery, monitoring) who receive PHI only as necessary to provide their services. All such subcontractors are bound by written agreements with terms substantially similar to our BAA.

Need a BAA? Email security@amah.com with your legal contact and we'll send a draft for review.