Security Brief

HIPAA Compliance

Ansur AI is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA) and operates as a Business Associate under HIPAA regulations. We maintain comprehensive administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

• Signed Business Associate Agreements (BAA) with all covered entities
• Regular HIPAA compliance audits and assessments
• Comprehensive workforce training on HIPAA requirements
• Strict access controls and minimum necessary access principles

Business Associate Agreement (BAA) Process

We execute BAAs with all healthcare organizations before processing any PHI. Our BAA process includes:

• Standard BAA template that meets HIPAA requirements
• Customizable terms for specific organizational needs
• Electronic signature capability for expedited execution
• Ongoing compliance monitoring and reporting

For more details, please see our BAA Summary.

Encryption

All data is encrypted both in transit and at rest using industry-standard encryption protocols:

Audit Logging

Comprehensive audit logging ensures full traceability of all system activities:

• All access to PHI is logged with user ID, timestamp, and action type
• Immutable audit logs stored separately from production data
• Regular audit log reviews and anomaly detection
• Compliance with HIPAA audit log retention requirements
• Real-time monitoring and alerting for suspicious activities

Data Retention

Our data retention policies are designed to balance operational needs with privacy requirements:

• Configurable retention periods based on organizational requirements
• Automatic secure deletion of data beyond retention periods
• Data export capabilities for organizations that need to retain data locally
• Compliance with state and federal data retention regulations

Sub-Processors

We work with a carefully vetted set of sub-processors, all of whom maintain HIPAA compliance and have executed BAAs with us:

• Cloud infrastructure providers (AWS, Azure, or GCP)
• Database hosting services
• Voice processing and transcription services
• Email and communication services

A complete list of sub-processors is available upon request. We notify customers of any changes to our sub-processor list with 30 days advance notice.

Security Certifications

Our security practices are validated through:

• Regular third-party security assessments
• Penetration testing and vulnerability scanning
• SOC 2 Type II compliance (in progress)
• Ongoing security training for all personnel

Incident Response

In the event of a security incident, we follow a comprehensive incident response plan:

• Immediate containment and assessment of any security breach
• Notification to affected customers within 72 hours as required by HIPAA
• Cooperation with law enforcement and regulatory bodies as necessary
• Post-incident review and remediation measures