Security & compliance
HIPAA-compliant by architecture. Not by attestation.
ABHOS was built to handle PHI from day one. Every design decision was made with HIPAA, the 2026 NPRM, and your compliance officer in mind.
Compliance posture
Signed BAAs across every vendor that touches PHI.
HIPAA
Full compliance posture, live today.
Active
Database & storage BAA
Encrypted database, authentication, and storage — under a signed BAA.
Signed
Application hosting BAA
Application hosting and delivery — under a signed BAA.
Signed
AI processing BAA
Every PHI-touching AI call runs under a signed BAA — never sent to a consumer AI service.
Signed
SMS reminders BAA
Appointment-reminder texts on a HIPAA-eligible, BAA-covered service.
Signed
SOC 2 Type II
Independent audit in progress.
In Progress
Architecture
Per-tenant isolation. Cross-tenant access is impossible.
Most behavioral health EHRs put every customer's data in one shared database, separated only by software access rules. If one of those rules is misconfigured and lets one customer reach another's data, the breach is silent and total.
ABHOS uses per-tenant isolation. Every customer gets their own fully separate environment — their own database, their own application, their own email, and their own subdomain on abhos.com. There is no shared database. There is no shared infrastructure. Cross-tenant access is not a configuration mistake away — it's a physical impossibility.
This is more expensive to operate. We do it because it's the right call for healthcare.
Per-tenant isolation
Every customer gets their own environment. Nothing is shared.
Customer A
- Dedicated application
- Dedicated database · Auth · Storage
- Dedicated email
Customer B
- Dedicated application
- Dedicated database · Auth · Storage
- Dedicated email
Customer C
- Dedicated application
- Dedicated database · Auth · Storage
- Dedicated email
No shared database · No shared infrastructure · No cross-tenant access
Controls
What we do, specifically.
- Per-tenant data isolation.
- A separate, dedicated environment for every customer. No shared database.
- MFA mandatory for clinicians.
- Authenticator-app multi-factor (AAL2), aligned with the 2026 NPRM.
- PHI never in logs or URLs.
- Audit logs track access; PHI itself is filtered out of logs and monitoring.
- AI under BAA only.
- Every PHI-touching AI call runs under a signed BAA — never sent to a consumer AI service.
- PIN-gated signing.
- 4–6 digit, encrypted, with a 3-attempt lockout, audited per 45 CFR 164.308(a)(4).
- Encryption at rest and in transit.
- AES-256 at rest. TLS 1.3 in transit.
- Audit logging.
- Every PHI read, write, and access logged with user, timestamp, and IP.
- Breach response.
- Customer notified within 24 hours of any security incident affecting PHI.
- Vendor BAA management.
- No new PHI flows enabled until vendor BAA is signed. Fail-closed by default.
- Data residency.
- Hosted in US data centers (West US / Oregon). No cross-region replication without customer consent.
Subprocessors
Every vendor that touches PHI. Documented.
| Subprocessor | Purpose | BAA Status |
|---|---|---|
| Cloud hosting & database | Application hosting, database, authentication, storage | BAA signed |
| AI processing | PHI-touching AI, under BAA | BAA signed |
| SMS messaging | Appointment-reminder text messages | BAA signed |
| Office Ally | Claims clearinghouse | Customer-owned |
| Transactional email | System and notification email | BAA pending |
No PHI-touching email is enabled until its BAA is in place.
Compliance review questions?
Email accounts@hellaintel.com or request a security walkthrough with our security lead.