Skip to main content
Now available: AI-Powered Prior Authorization

HIPAA Compliance

Last Updated: March 2026

NexaClaim AI is designed from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This page describes our comprehensive approach to protecting Protected Health Information (PHI) across our platform, infrastructure, and operations.

1. Administrative Safeguards

Security Management Process

NexaClaim maintains a comprehensive information security program that includes risk assessment, risk management, sanction policies, and regular information system activity reviews. Our security program is overseen by a designated Security Officer who is responsible for the development and implementation of all security policies and procedures.

Workforce Security

  • All employees complete HIPAA training upon hire and annually thereafter
  • Access to PHI is limited to workforce members whose roles require it
  • Background checks are conducted for all employees with access to PHI
  • Termination procedures include immediate revocation of all system access
  • Workforce members are subject to sanctions for non-compliance

Information Access Management

  • Role-based access controls (RBAC) limit PHI access based on job function
  • Access rights are reviewed quarterly and adjusted as roles change
  • Privileged access requires additional authorization and is logged separately
  • Multi-tenant data isolation is enforced at the database level via row-level security (RLS) policies

Security Awareness and Training

  • Mandatory HIPAA security awareness training for all employees
  • Periodic security reminders and updates on emerging threats
  • Simulated phishing exercises to test awareness
  • Procedures for reporting security incidents

Contingency Plan

  • Data backup and recovery procedures with daily automated backups
  • Disaster recovery plan with documented recovery time objectives (RTO) and recovery point objectives (RPO)
  • Emergency mode operation procedures
  • Regular testing of contingency plans

2. Physical Safeguards

As a cloud-native platform, NexaClaim does not maintain physical data centers. Our physical safeguards are implemented through our infrastructure providers:

  • Supabase (AWS): SOC 2 Type II certified data centers with 24/7 physical security, biometric access controls, CCTV surveillance, and environmental controls
  • Vercel (AWS/Cloudflare): Enterprise-grade data centers with physical access controls and environmental monitoring
  • Employee Workstations: Full-disk encryption required on all devices, automatic screen lock after 5 minutes of inactivity, and remote wipe capability for lost or stolen devices

3. Technical Safeguards

Access Control

  • Unique User Identification: Every user has a unique identifier. Shared accounts are prohibited.
  • Multi-Factor Authentication: MFA is required for all user accounts accessing PHI.
  • Automatic Logoff: Sessions expire after 15 minutes of inactivity.
  • Encryption: AES-256 encryption at rest. TLS 1.3 encryption in transit. Column-level encryption for sensitive PHI fields (patient names, dates of birth, Social Security numbers).

Audit Controls

  • Comprehensive Audit Logging: Every access to PHI generates an immutable audit log entry, including user identity, timestamp, action taken, and resource accessed.
  • Log Integrity: Audit logs are stored in append-only tables with database rules preventing modification or deletion.
  • Log Retention: Audit logs are retained for a minimum of 7 years.
  • Regular Review: Audit logs are reviewed monthly for suspicious activity and access pattern anomalies.

Integrity Controls

  • Database constraints and validation rules prevent data corruption
  • Row-level security policies ensure complete tenant isolation
  • Application-level input validation using Zod schema validation
  • Automated integrity checks on data import (EDI 835 parsing)

Transmission Security

  • All data in transit is encrypted using TLS 1.3
  • API communications between services use mutual TLS and API key authentication
  • PHI transmitted to AI providers uses zero-retention API endpoints
  • No PHI is transmitted via email or unencrypted channels

4. AI-Specific HIPAA Considerations

NexaClaim uses AI extensively for denial analysis, medical coding, and appeal generation. We have implemented the following safeguards specific to AI processing of PHI:

  • Zero-Retention APIs: We use zero-retention API agreements with OpenAI and Anthropic. PHI submitted for AI inference is not stored by the provider after the response is returned and is never used for model training.
  • PHI Minimization: AI prompts include only the minimum necessary PHI required for the task. Unnecessary identifiers are redacted before transmission.
  • No PHI in Model Training: NexaClaim's AI models are never trained on identifiable PHI. All training data is de-identified and aggregated.
  • PHI Redaction in Logs: All application logs are processed through a PHI sanitization utility that redacts patient names, MRNs, dates of birth, and other identifiers before log emission.
  • Audit Trail: Every AI inference request that involves PHI generates an audit log entry recording which model was used, what data was submitted, and who initiated the request.

5. Breach Notification

NexaClaim maintains a comprehensive breach notification program in compliance with 45 CFR 164 Subpart D:

  • Suspected breaches are investigated immediately upon discovery
  • Affected Covered Entities are notified within 60 days of breach discovery
  • Breach notifications include identification of affected individuals, description of the breach, steps taken to mitigate harm, and recommended protective actions
  • Breach risk assessments follow the four-factor analysis required by 45 CFR 164.402
  • All breach investigations and notifications are documented and retained

6. Business Associate Agreements

NexaClaim executes Business Associate Agreements with all customers before any PHI is processed. We also maintain BAAs with all subcontractors and service providers that create, receive, maintain, or transmit PHI on our behalf. For details, see our BAA page.

7. Risk Assessment

NexaClaim conducts comprehensive risk assessments at least annually and whenever significant changes are made to our systems or operations. Our risk assessment process includes:

  • Identification of all systems that create, receive, maintain, or transmit PHI
  • Evaluation of threats and vulnerabilities to the confidentiality, integrity, and availability of PHI
  • Assessment of current security measures and their effectiveness
  • Determination of the likelihood and impact of potential risks
  • Implementation of security measures to reduce risks to reasonable and appropriate levels
  • Documentation of all findings and remediation actions

8. Certifications and Compliance Roadmap

  • HIPAA Compliance: Active. All safeguards implemented and operational.
  • SOC 2 Type II: In progress. Audit targeted for Q4 2026.
  • HITRUST CSF: Planned for 2027.
  • Penetration Testing: Conducted by third-party security firm prior to production launch and annually thereafter.

9. Contact

For questions about our HIPAA compliance program, to report a security concern, or to request a copy of our security documentation, please contact our Security and Compliance team:

Other Legal Pages

Privacy PolicyTerms of ServiceBusiness Associate Agreement