HIPAA · 45 CFR 170.315

Security & Compliance

The technical and administrative controls that back the Retinex Health certified Health IT platform.

Version 1.0 Updated 2026-05-26 Publicly accessible · No charge

Framework

Retinex Health operates as a covered-entity Business Associate under HIPAA and as a certified Health IT developer under the ONC/ASTP Health IT Certification Program. Controls are designed against:

  • HIPAA Privacy Rule (45 CFR 164, Subpart E)
  • HIPAA Security Rule (45 CFR 164, Subpart C)
  • NIST SP 800-53 Rev. 5 (selected moderate-impact controls)
  • NIST SP 800-63B (digital identity)
  • ONC/ASTP HTI-1 (HIPAA + cybersecurity hygiene baseline)

Authentication

Every interactive user authenticates with two factors:

  • Password: bcrypt-hashed, complexity rules enforced.
  • TOTP code: RFC 6238, HMAC-SHA1, 6 digits, 30-second window, ±1 step drift tolerance. See the MFA documentation for the full implementation.

Service-to-service authentication uses JWTs signed with an HS256 secret rotated per environment.

Authorization (RBAC)

Authorization is enforced at the gateway by JwtAuthGuard + PermissionGuard + @ProtectModule(). Permissions are expressed as <module>:<action>. Modules in the catalog:

  • access_admin — Access Admin UI and role management
  • dsi — Decision Support Interventions
  • attachment — Patient attachments
  • toc_import — Transition of Care import
  • ehi_export — §170.315(b)(10) EHI export
  • lab — Lab module

Actions: read, write, delete, full.

Encryption

LayerAlgorithmKey management
TransportTLS 1.2+ (TLS 1.3 preferred), ECDHE+AES-GCMACME / managed certificates
Database at restAES-256Provider-managed KMS (Azure)
Blob storage (attachments, exports)AES-256 SSEAzure Storage Service Encryption
EHI export archiveAES-256, 7-Zip encrypted headers (-mhe=on)Per-archive password, delivered out of band
Column-level (selected tokens)AES-256-GCMKey from AES_SECRET_KEY env var, rotated per environment

Audit Logging

A dedicated audit microservice records every privileged action to an append-only store. Records include actor user ID, target resource, source IP, user agent, timestamp, and outcome.

Logged events include:

  • Sign-in success / failure
  • MFA enrollment, verification, administrator reset
  • RBAC permission grants and revocations
  • EHI export (single and bulk)
  • Patient chart access (read), creation, update, deletion
  • Emergency-access (break-glass) elevations

Data Residency & Retention

  • Residency. Production data resides in Azure US-East regions by default; non-US residency is available under a Business Associate Agreement.
  • Retention. Clinical data is retained per the customer’s organization-level retention schedule; audit records are retained for a minimum of 7 years.
  • Backups. Encrypted daily snapshots with 35-day point-in-time restore.

Certifications Held

  • ONC/ASTP Health IT Certification — current
  • HIPAA Privacy & Security Rules — in scope
  • HITRUST CSF readiness — in progress
  • SOC 2 Type II — in progress