HIPAA Compliance
Our commitment to protecting patient health information
Last updated: December 7, 2025
Our Commitment
LabIQ is designed with HIPAA compliance in mind. We understand that healthcare providers must protect patient health information (PHI), and we've built our platform to support your compliance obligations. We are committed to entering into Business Associate Agreements (BAAs) with covered entities.
Security Measures
Encryption
- •TLS 1.3 encryption for all data in transit
- •AES-256 encryption for data at rest
- •Encrypted database connections
- •Secure API communications
Infrastructure
- •SOC 2 Type II compliant cloud hosting
- •Isolated database environments
- •Regular security patching
- •Redundant backup systems
Access Controls
- •Role-based access control (RBAC)
- •Multi-factor authentication available
- •Session management and timeout
- •Audit logging of all access
Administrative
- •Employee security training
- •Background checks for staff
- •Incident response procedures
- •Regular risk assessments
Business Associate Agreement
If you are a HIPAA covered entity or business associate, we will enter into a Business Associate Agreement (BAA) with you before you use our Service with protected health information (PHI).
To request a BAA, please contact us at compliance@labiq.health.
Data Processing
How We Handle PHI
- Minimum Necessary: We only access PHI that is necessary to provide the Service.
- Purpose Limitation: PHI is used only for the purposes specified in our BAA.
- No Secondary Use: We do not use PHI for marketing or sell it to third parties.
- AI Processing: When PHI is processed by AI services, it is transmitted securely and is not retained for model training.
Third-Party Services
We use carefully selected third-party services that maintain their own HIPAA compliance programs:
- Cloud Hosting: Our infrastructure is hosted on platforms with SOC 2 and HIPAA compliance.
- AI Processing: We use enterprise AI services with appropriate data processing agreements.
- Database: Our database provider maintains SOC 2 compliance and offers HIPAA-eligible configurations.
Your Responsibilities
Important
As a covered entity, you maintain responsibility for your HIPAA compliance. Using LabIQ does not transfer this responsibility to us.
As a user of our Service, you are responsible for:
- Ensuring you have proper authorization to use PHI with our Service
- Training your workforce on proper use of the Service
- Maintaining appropriate access controls within your organization
- Reporting any suspected security incidents to us promptly
- Complying with your own HIPAA policies and procedures
Audit Logging
We maintain comprehensive audit logs of system access and PHI processing activities. These logs include:
- User authentication events
- Access to patient records
- Analysis requests and results
- Administrative actions
- System configuration changes
Audit logs are retained for a minimum of 6 years as required by HIPAA.
Breach Notification
In the event of a security incident involving PHI, we will:
- Notify affected covered entities within 24 hours of discovery
- Provide detailed information about the nature and scope of the incident
- Cooperate with your incident response procedures
- Take immediate steps to mitigate harm and prevent recurrence
- Document the incident and our response for compliance purposes
Data Retention and Disposal
We retain PHI only for as long as necessary to provide the Service or as required by the BAA. When PHI is no longer needed:
- Data is securely deleted using industry-standard methods
- Backups containing PHI are purged according to retention schedules
- Deletion is documented for compliance purposes
Contact Us
For questions about our HIPAA compliance program, to request a BAA, or to report a security concern:
LabIQ Compliance Team
Email: compliance@labiq.health
Security Issues: security@labiq.health
For urgent security matters, please email security@labiq.health with "URGENT" in the subject line.