HIPAA

Nephra is designed with HIPAA compliance in mind. We act as a Business Associate under HIPAA when we process Protected Health Information (PHI) on behalf of Covered Entities such as clinics and hospitals.

We enter into a Business Associate Agreement with every healthcare provider before PHI is processed on the platform. Contact us at [email protected] to request a BAA.

All PHI is encrypted at rest using AES-256-GCM and in transit using TLS 1.2+.

Access to PHI is controlled through role-based access control (RBAC). Each user can only access data appropriate to their clinical role.

Audit logs record all access and modifications to PHI with timestamps and user identifiers.

Access to production systems is restricted to authorised personnel via multi-factor authentication.

We conduct regular risk assessments and maintain incident response procedures.

In the event of a suspected breach involving PHI, we will notify affected Covered Entities within 60 days as required by the HIPAA Breach Notification Rule.

HIPAA compliance is a shared responsibility. Clinics and providers must also implement appropriate safeguards and staff training. Nephra's tools support compliance — they do not substitute for your organisation's own HIPAA programme.