ABHOS

Security & compliance

HIPAA-compliant by architecture. Not by attestation.

ABHOS was built to handle PHI from day one. Every design decision was made with HIPAA, the 2026 NPRM, and your compliance officer in mind.

Compliance posture

Signed BAAs across every vendor that touches PHI.

HIPAA

Full compliance posture, live today.

Active

Database & storage BAA

Encrypted database, authentication, and storage — under a signed BAA.

Signed

Application hosting BAA

Application hosting and delivery — under a signed BAA.

Signed

AI processing BAA

Every PHI-touching AI call runs under a signed BAA — never sent to a consumer AI service.

Signed

SMS reminders BAA

Appointment-reminder texts on a HIPAA-eligible, BAA-covered service.

Signed

SOC 2 Type II

Independent audit in progress.

In Progress

Architecture

Per-tenant isolation. Cross-tenant access is impossible.

Most behavioral health EHRs put every customer's data in one shared database, separated only by software access rules. If one of those rules is misconfigured and lets one customer reach another's data, the breach is silent and total.

ABHOS uses per-tenant isolation. Every customer gets their own fully separate environment — their own database, their own application, their own email, and their own subdomain on abhos.com. There is no shared database. There is no shared infrastructure. Cross-tenant access is not a configuration mistake away — it's a physical impossibility.

This is more expensive to operate. We do it because it's the right call for healthcare.

Per-tenant isolation

Every customer gets their own environment. Nothing is shared.

customer-a.abhos.com

Customer A

  • Dedicated application
  • Dedicated database · Auth · Storage
  • Dedicated email
customer-b.abhos.com

Customer B

  • Dedicated application
  • Dedicated database · Auth · Storage
  • Dedicated email
customer-c.abhos.com

Customer C

  • Dedicated application
  • Dedicated database · Auth · Storage
  • Dedicated email

No shared database · No shared infrastructure · No cross-tenant access

Controls

What we do, specifically.

Per-tenant data isolation.
A separate, dedicated environment for every customer. No shared database.
MFA mandatory for clinicians.
Authenticator-app multi-factor (AAL2), aligned with the 2026 NPRM.
PHI never in logs or URLs.
Audit logs track access; PHI itself is filtered out of logs and monitoring.
AI under BAA only.
Every PHI-touching AI call runs under a signed BAA — never sent to a consumer AI service.
PIN-gated signing.
4–6 digit, encrypted, with a 3-attempt lockout, audited per 45 CFR 164.308(a)(4).
Encryption at rest and in transit.
AES-256 at rest. TLS 1.3 in transit.
Audit logging.
Every PHI read, write, and access logged with user, timestamp, and IP.
Breach response.
Customer notified within 24 hours of any security incident affecting PHI.
Vendor BAA management.
No new PHI flows enabled until vendor BAA is signed. Fail-closed by default.
Data residency.
Hosted in US data centers (West US / Oregon). No cross-region replication without customer consent.

Subprocessors

Every vendor that touches PHI. Documented.

SubprocessorPurposeBAA Status
Cloud hosting & databaseApplication hosting, database, authentication, storageBAA signed
AI processingPHI-touching AI, under BAABAA signed
SMS messagingAppointment-reminder text messagesBAA signed
Office AllyClaims clearinghouseCustomer-owned
Transactional emailSystem and notification emailBAA pending

No PHI-touching email is enabled until its BAA is in place.

For your compliance review

What we can send you.

  • BAA Template (PDF)

    Request via accounts@hellaintel.com

    Request →
  • Security Whitepaper

    Request via accounts@hellaintel.com

    Request →
  • SOC 2 Type II Report

    Available Q4 2026 — request to be notified

    Request →

Compliance review questions?

Email accounts@hellaintel.com or request a security walkthrough with our security lead.