HIPAA Compliance

EnrollPulse AI is designed from the ground up for HIPAA compliance. Every feature incorporates security and privacy controls.

Encryption at Rest

All PHI encrypted with AES-256-GCM using unique initialization vectors. Encryption keys managed via environment variables with rotation support.

Encryption in Transit

TLS 1.3 enforced for all connections. HSTS with 1-year max-age. No mixed content permitted.

Access Controls

6-tier RBAC: Viewer, Coordinator, Credentialing Specialist, Compliance Officer, Org Admin, Super Admin. Least-privilege by default.

Immutable Audit Trail

Every action logged with SHA-256 checksums for tamper detection. Timing-safe comparison for integrity verification.

Data Retention

Configurable retention: 7-year HIPAA minimum to indefinite. Soft-delete for providers with full recovery capability.

PHI Sanitization

AI prompts automatically scrubbed of SSN, NPI, DOB, email, phone before transmission. No PHI leaves the encryption boundary to AI providers.

Business Associate Agreement

EnrollPulse AI signs a Business Associate Agreement (BAA) with every customer. Our BAA covers all PHI processing, storage, and transmission. Sub-processor agreements maintained with all infrastructure providers including Vercel, Neon, and AI API providers.