Skip to content
CliniLoom
Thread live
HIPAA

Designed to be HIPAA compliant.
BAA available for customers.

HIPAA is not a certification — it's a set of administrative, technical, and physical safeguards. CliniLoom is designed to be HIPAA compliant, and BAA v1.2 (available since January 2024) is signed with every customer before production PHI is processed.

BAA v1.2 · since Jan 2024TLS 1.3 in transit · AES-256 at restAudit log retained 7 years
CliniLoom does not claim HIPAA "certification" — HIPAA has no such thing. We provide HIPAA-compliant architecture, controls, and a Business Associate Agreement that together support HIPAA-aligned clinic workflows.

Technical safeguards

Encryption

TLS 1.3 in transit. AES-256 at rest for PHI and backups.

Access control

Role-based access (Administrator, Manager, Provider, Staff) with least-privilege defaults; SSO via SAML 2.0 / OIDC and MFA via SMS, email, or authenticator app.

Audit controls

Per-entity audit log capturing actor, role, timestamp, and source references. Retained 7 years.

Integrity controls

Versioned records for AI drafts and human edits; tamper-evident audit trail.

Administrative safeguards

  • Workforce access reviews documented per clinic
  • Defined required reviewer roles per workflow
  • Approval rules per module (clinical / administrative)
  • Incident response runbooks with customer notification SLAs
  • Regular subprocessor review

Physical & infrastructure safeguards

US regions

PHI hosted at CliniLoom's primary data center in US regions. SOC 2 Type II certified March 2025 and ISO 27001 certified June 2025 at that facility.

Network isolation

Private networking between services. No PHI in third-party logs or analytics.

Staff access

Production access limited to vetted on-call engineers with MFA and audit.

Contractual safeguards

A Business Associate Agreement is required before any production PHI is processed. CliniLoom's BAA covers permitted uses, breach notification, subprocessor obligations, and return or destruction of PHI on termination.

  • Business Associate Agreement (BAA) — available before go-live
  • Subprocessor list maintained and disclosed
  • Data Processing Addendum (DPA) for international customers
  • Security review support for qualified clinics

Need our BAA template?

Request the BAA, security one-pager, and subprocessor list.