HIPAA Compliance

Understanding HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that sets national standards for protecting sensitive patient health information. HIPAA consists of several rules that healthcare providers must follow:

Privacy Rule

Sets standards for the protection of individually identifiable health information ("Protected Health Information" or PHI). The Privacy Rule establishes when and how PHI can be used and disclosed.

Security Rule

Specifies safeguards that covered entities and business associates must implement to protect the confidentiality, integrity, and availability of electronic PHI (ePHI).

Breach Notification Rule

Requires covered entities to notify affected individuals, the Secretary of Health and Human Services, and in some cases, the media, following a breach of unsecured PHI.

Omnibus Rule

Expanded many of the requirements to business associates that receive protected health information.

How Sollo AI Maintains HIPAA Compliance

As a business associate to healthcare providers, Sollo AI implements comprehensive measures to ensure HIPAA compliance throughout our platform:

Technical Safeguards

We implement robust technical safeguards to protect ePHI:

• Secure Infrastructure: All services run on HIPAA-compliant, healthcare-grade cloud infrastructure located in the United States
• Network Security: Multiple layers of network security, including firewalls, intrusion detection, and prevention systems
• Access Controls: Role-based access controls with multi-factor authentication for administrative access
• Audit Trails: Comprehensive logging of all system activities and access attempts
• Data Isolation: Strict isolation between customer environments to prevent unauthorized cross-access
• Secure Development: Security-first approach to software development with regular code reviews and security testing

Physical Safeguards

Our physical security measures protect the infrastructure that hosts your data:

• Secure Data Centers: Use of HIPAA-compliant data centers with 24/7 monitoring, biometric access controls, and environmental protections
• Device Management: Strict policies for company-owned devices including encryption, automatic locking, and remote wipe capabilities
• Clean Desk Policy: Requirements that all sensitive information be secured when not in use

Your Role in HIPAA Compliance

While Sollo AI provides a HIPAA-compliant platform, healthcare providers are responsible for certain aspects of compliance:

• Patient Consent: Obtaining appropriate consent from patients before recording encounters or uploading patient information
• Account Security: Maintaining the security of account credentials and ensuring they are not shared
• Downstream Handling: Ensuring proper handling of PHI after it is downloaded from our platform
• Access Management: Configuring access controls within your organization and promptly removing access for departing staff
• Staff Training: Training your staff on proper handling of PHI and security best practices
• Incident Reporting: Promptly reporting any suspected security incidents or breaches

Breach Notification Procedures

In the unlikely event of a security incident affecting PHI, we will:

• Promptly investigate the incident to determine if a breach has occurred
• Notify affected customers without unreasonable delay and no later than 60 days after discovery
• Provide information about the breach, including what happened, what data was affected, and steps being taken to mitigate harm
• Cooperate with covered entities to meet their breach notification obligations to patients and regulatory authorities
• Implement corrective actions to address the root cause and prevent similar incidents

We maintain a documented incident response plan that is regularly tested and updated to ensure swift and effective response to potential security incidents.