Compliance Posture

Built for Healthcare's Rules.
Accountable by Design.

This is the trust page. Named officers, BAA status, audit-trail architecture, and pentest history, written for procurement officers, hospital compliance teams, and auditors.

Designated Officers

Three HIPAA Officer Roles, Three People

HIPAA technically allows one person to hold all three officer roles. We separate them because accountability is easier to verify when the roles are distinct. Our Privacy Officer owns patient-facing rights (access, amendment, accounting of disclosures). Our Security Officer owns the §164.308 Administrative Safeguards program and the §164.312 Technical Safeguards we deploy. Our Compliance Officer is the external interface for auditors, state procurement offices, and customer BAAs.

  • Privacy Officer: Domenic Laurenzi (interim, pending CCO placement)
  • Security Officer: Domenic Laurenzi
  • Compliance Officer: Search in progress; candidate selection expected Q2 2026. Role scope: external audit interface, customer BAAs, state procurement response, annual training program oversight.

Direct correspondence: compliance@vitalchainhealth.com

Business Associate Agreements

BAA Chain

Every entity that handles Protected Health Information on VitalChain's behalf signs a Business Associate Agreement. Our AWS BAA was executed 2026-04-16, permitting PHI on our AWS account using HIPAA Eligible Services with encryption at rest and in transit (both active). Customer-facing BAAs are signed per engagement and are available for review during procurement.

  • AWS BAA executed 2026-04-16, active
  • Customer BAA templates available on request
  • Subcontractor BAAs maintained for all downstream PHI-handling vendors
Encryption & Transport

At Rest and in Transit

Every stored copy of PHI is encrypted. EBS volumes ship with AWS default encryption enabled, re-encrypted from the snapshot on first deployment. Databases (MongoDB, Redis) run with TLS in transit and authentication enforced. Our internal service-to-service traffic terminates TLS at nginx with HSTS preload, HTTP/2, ECDHE with AEAD ciphers, and OCSP stapling.

  • EBS default encryption enabled, all volumes encrypted
  • MongoDB TLS active, Redis TLS active
  • nginx: ECDHE+AEAD only, HSTS preload, OCSP stapling
  • Secrets in AWS Secrets Manager on 90-day rotation; least-privilege IAM role
Audit Trail

Audit on the Chain, Not Next to It

HIPAA §164.312(b) requires a mechanism to record and examine activity in information systems that contain PHI. Most platforms satisfy this with a database audit log that the same operators can edit. VitalChain records every PHI access as a Hyperledger Fabric transaction. The audit log lives on the same permissioned ledger as the data, enforced by the same consensus protocol. Operators cannot retroactively change it.

  • Every PHI read and write is an on-chain transaction
  • Patient consent grants and revocations are recorded with timestamp, scope, and duration
  • Emergency access is a separate auditable path with mandatory reason
  • Accounting of disclosures queries run directly against the ledger, no export or reconciliation needed
Risk Management

Assessment and Pentest History

We ran a NIST SP 800-30 risk assessment covering likelihood, impact, and control effectiveness for every identified threat. Remediation work is prioritized against that assessment. Three independent penetration test engagements (March through April 2026) exercised the authentication, transport, and input-validation surface. All findings were remediated between engagements. The final engagement closed with zero outstanding issues.

  • NIST SP 800-30 risk assessment on file
  • 3 independent pentest engagements March-April 2026, all findings remediated
  • Annual pentest cadence, next engagement scheduled March 2027
  • Pentest reports available under NDA during procurement
Workforce Program

Training and Sanctions

HIPAA requires a training program and a documented sanctions policy, not just technology. Our annual training curriculum covers Privacy Rule, Security Rule, and Breach Notification. New workforce members complete training before their first access to PHI. The sanctions policy is graduated (coaching, written warning, restriction of access, termination) and is applied uniformly.

  • Annual Privacy, Security, and Breach Notification training (documented, completion tracked)
  • Workforce Sanctions Policy with graduated response
  • Incident Response Plan, reviewed annually
Pilot Demos

Demo Environment Posture

Our pilot environment runs on AWS with HIPAA Eligible Services. During pre-revenue operation we hibernate the environment between demos to control infrastructure costs. Demos are available on request with a sub-5-minute warm-up from cold start. Every demo runs a 41-test smoke suite before any external party connects.

Procurement Questions?

We respond to audit, BAA, and HIPAA questionnaire requests within three business days.

Email Compliance General Contact