HIPAA Considerations¶
HIPAA governs protected health information (PHI) handling in the United States. Dxtra is a general-purpose privacy management platform, not a healthcare-specific system.
Scope Limitation
Dxtra is not designed for healthcare PHI processing. Healthcare organizations requiring HIPAA compliance should evaluate specialized healthcare privacy solutions.
HIPAA Overview¶
Who Must Comply¶
- Covered entities -- Healthcare providers, health plans, healthcare clearinghouses
- Business associates -- Vendors handling PHI on behalf of covered entities
- Subcontractors -- Organizations providing services to business associates involving PHI
Protected Health Information (PHI)¶
PHI includes individually identifiable health information relating to:
- Past, present, or future physical/mental health conditions
- Healthcare provision
- Payment for healthcare services
- Combined with any of 18 identifiers (name, address, dates, etc.)
Dxtra Security Features¶
Dxtra includes general security features that may support compliance requirements:
| Feature | Description |
|---|---|
| Encryption at rest | AES-256 encryption for stored data |
| Encryption in transit | TLS 1.2+ for all connections |
| Role-based access | Granular permission controls |
| Audit logging | Processing activity tracking |
| Multi-factor authentication | Available via authentication provider |
| Session management | Configurable session policies |
Limitations for Healthcare Use¶
Not Designed For¶
- Primary PHI storage or processing
- Healthcare-specific workflow requirements
- HIPAA-specific audit controls
- Healthcare compliance certifications
Additional Requirements¶
Healthcare organizations using Dxtra would need to:
- Conduct independent security assessments
- Implement additional access controls
- Obtain legal review of compliance approach
- Consider specialized healthcare tools for PHI
Business Associate Agreements¶
If your organization requires a BAA:
- Contact support -- Discuss specific healthcare compliance needs
- Technical review -- Evaluate implementation requirements
- Legal review -- BAA terms require legal approval
- Custom configuration -- May require platform modifications
BAA Availability
Business Associate Agreements are evaluated on a case-by-case basis. Availability depends on specific use case and implementation requirements.
Appropriate Use Cases¶
Suitable for Healthcare Organizations¶
- Non-PHI privacy management (marketing preferences, general account data)
- GDPR/CCPA compliance for non-health personal information
- General consent management for non-healthcare purposes
- Processing activity documentation for non-PHI data
Not Suitable For¶
- PHI storage or processing
- Healthcare treatment records
- Patient rights requests involving health information
- Healthcare-specific compliance requirements
Hybrid Approach¶
Organizations can potentially use:
- Dxtra for general privacy compliance (GDPR, CCPA)
- Specialized healthcare tools for PHI processing
- Separate systems with clear data boundaries
Common Questions¶
Can Dxtra be used in healthcare?¶
For non-PHI data processing, Dxtra may be suitable. Direct PHI processing requires additional evaluation and likely additional safeguards beyond what Dxtra provides.
Is Dxtra HIPAA certified?¶
No. Dxtra does not hold HIPAA certification. Healthcare organizations should conduct their own compliance assessment.
What about HITECH requirements?¶
Dxtra does not specifically address HITECH, FDA regulations, or other healthcare-specific compliance requirements.
Can we get a BAA?¶
BAAs are evaluated individually. Contact support to discuss your specific requirements and feasibility.
Related Documentation¶
- GDPR Implementation -- European data protection compliance
- CCPA Implementation -- California privacy law
- Security and Compliance -- Security practices