Skip to main content

Compliance

HIPAA Technical Safeguard Compliance

How AuthDeep satisfies the HIPAA Security Rule Technical Safeguard requirements (45 CFR §164.312) for healthcare applications handling Protected Health Information.

Important: This page describes AuthDeep technical controls relevant to HIPAA compliance. It does not constitute legal advice. Operators deploying AuthDeep for healthcare applications must conduct their own HIPAA risk analysis and may need to execute a Business Associate Agreement (BAA) with relevant service providers. Consult qualified legal and compliance counsel.

Technical Safeguards

Access Controls (§164.312(a)(1))

  • Role-based access control enforced at the gateway layer
  • Unique user identification — no shared credentials
  • Automatic session logoff configured via gateway policy
  • Emergency access procedure supported via admin override with full audit trail

Audit Controls (§164.312(b))

  • Audit history for authentication events
  • Every admin action recorded with actor, timestamp, and tenant context
  • Audit exports available for SIEM integration
  • Logs cannot be deleted by application users

Integrity Controls (§164.312(c)(1))

  • Hardened session controls help prevent tampering
  • Signed integration events support payload integrity
  • Browser request-protection controls on authenticated changes
  • Safe database access patterns reduce injection risk

Transmission Security (§164.312(e)(1))

  • Encrypted transport enforced on all connections
  • Secure HttpOnly session cookies
  • No PHI in URL parameters, query strings, or log lines
  • Modern edge and origin transport controls

Person or Entity Authentication (§164.312(d))

  • Multi-factor authentication and passkey-ready account protection
  • Credential checks designed to reduce enumeration risk
  • Password storage follows modern defensive standards
  • Recovery codes with single-use enforcement

Self-Hosted Data Sovereignty

Because AuthDeep is self-hosted, PHI never leaves your infrastructure. Your PostgreSQL database and Redis instance are operated by you — AuthDeep does not receive, store, or process your patient data. This eliminates the need for a BAA with AuthDeep itself, though you may still need BAAs with your hosting providers (AWS, Azure, GCP, etc.).

Full security posture Contact compliance team