Skip to main content

HIPAA Compliance

Devotel provides HIPAA-ready infrastructure for organizations that handle Protected Health Information (PHI) through communication channels. This document describes the technical and administrative controls implemented when HIPAA mode is enabled.

Overview

HIPAA mode is a per-organization feature flag that activates a set of enhanced security controls:
  1. PHI Encryption at Rest — Message content encrypted with AES-256-GCM
  2. Access Controls — PHI access restricted to designated roles
  3. Audit Logging — All PHI access logged with reason codes
  4. Data Retention — Automatic deletion after configured retention period
  5. BAA Tracking — Business Associate Agreement status management

Prerequisites

Before enabling HIPAA mode, organizations must:
  1. Sign a Business Associate Agreement (BAA) with Devotel
  2. Have an active subscription on the Business or Enterprise plan
  3. Designate a HIPAA compliance officer within their team

Technical Controls

1. Encryption at Rest (AES-256-GCM)

When HIPAA mode is enabled, all message body content is encrypted at the application layer before storage using AES-256-GCM:
  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Management: Per-organization encryption keys derived from the org’s tenant secret and stored in GCP Secret Manager
  • Nonce: Unique 96-bit nonce generated for each encryption operation
  • Authentication Tag: 128-bit authentication tag appended to ciphertext for integrity verification
  • Scope: Applies to message body, media_url, and any custom metadata fields marked as PHI
This encryption is in addition to Google Cloud’s default encryption at rest (AES-256 managed by Google).

2. Access Controls

PHI access is restricted based on role assignments:
RolePHI AccessNotes
ownerFull accessCan enable/disable HIPAA mode
adminFull accessCan view PHI access logs
developerRestrictedAccess requires reason code
viewerNo accessCannot view message content when HIPAA mode is active
billingNo accessCannot view message content
When a user with the developer role accesses PHI, they must provide a reason code selected from:
  • treatment — Access required for patient treatment coordination
  • payment — Access required for payment processing
  • operations — Access required for healthcare operations
  • legal — Access required for legal compliance
  • support — Access required for customer support resolution

3. PHI Access Audit Log

Every access to PHI-containing data generates an audit log entry: 
{
  "id": "phi_abc123",
  "userId": "usr_xyz789",
  "resource": "message:msg_def456",
  "reason": "treatment",
  "accessedAt": "2026-04-02T10:30:00Z"
}
The PHI access log:
  • Is append-only and cannot be modified or deleted
  • Retains up to 10,000 entries per organization (oldest entries are automatically rotated)
  • Is accessible to owner and admin roles via the dashboard or API
  • Can be exported for external compliance audits
API Endpoint: GET /api/v1/settings/hipaa/phi-access-log

4. Data Retention

When HIPAA mode is active, data retention is enforced:
  • Default retention period: 365 days (configurable: 30–3,650 days)
  • Scope: Message content, call recordings, media attachments
  • Mechanism: Automated background job scans for expired records and securely deletes them
  • Exceptions: Audit logs and PHI access logs are retained independently of the data retention policy
Configuration: Via dashboard at Settings → Compliance → HIPAA → Data Retention or via API: 
PUT /api/v1/settings/hipaa
{
  "enabled": true,
  "data_retention_days": 365
}

5. Business Associate Agreement (BAA)

Devotel tracks BAA status per organization:
  • Status: Signed / Not signed
  • Signed date: Recorded when BAA is confirmed
  • Document URL: Optional link to the signed BAA document
Requirement: HIPAA mode cannot be enabled without a signed BAA. Attempting to enable HIPAA mode without a BAA returns a 403 Forbidden error. API Endpoint: PUT /api/v1/settings/hipaa/baa 
PUT /api/v1/settings/hipaa/baa
{
  "signed": true,
  "signed_at": "2026-04-01T00:00:00Z",
  "document_url": "https://storage.devotel.io/baa/org_abc123.pdf"
}

API Reference

MethodEndpointDescriptionRequired Role
GET/settings/hipaaGet HIPAA status and configurationadmin+
PUT/settings/hipaaEnable/disable HIPAA modeowner
GET/settings/hipaa/phi-access-logPaginated PHI access logadmin+
PUT/settings/hipaa/baaUpdate BAA statusowner

Dashboard Configuration

HIPAA settings are available in the dashboard under Settings → Compliance:
  1. HIPAA Mode Toggle — Enable/disable HIPAA mode (requires BAA)
  2. BAA Section — Track BAA signing status and date
  3. Data Retention — Configure automatic data deletion period
  4. PHI Access Log — View and export PHI access audit trail

Infrastructure Safeguards

Beyond application-level controls, Devotel’s infrastructure provides:
  • Cloud SQL Encryption: All database storage encrypted with AES-256 by Google Cloud
  • TLS 1.3: All data in transit encrypted with TLS 1.3
  • VPC Isolation: Database accessible only via private IP within the VPC
  • No Privileged Containers: GKE Autopilot prevents privileged container execution
  • Secret Manager: All encryption keys and credentials stored in GCP Secret Manager
  • Audit Trails: Google Cloud Audit Logs for infrastructure-level access tracking

Shared Responsibility

HIPAA compliance is a shared responsibility between Devotel and the customer:
ResponsibilityDevotelCustomer
Infrastructure security
Data encryption at rest
Data encryption in transit
Access control enforcement
PHI access logging
BAA execution
Workforce training
Breach notification procedures
PHI minimum necessary standard
Patient consent management
Risk assessment

Incident Response

In the event of a suspected PHI breach:
  1. Devotel’s security team is notified within 1 hour via automated alerting
  2. Affected organizations are notified within 24 hours per HIPAA Breach Notification Rule
  3. PHI access logs are immediately preserved and exported for forensic analysis
  4. Remediation steps are documented and shared with affected parties
Last updated: April 2026 For questions about HIPAA compliance, contact: compliance@devotel.io