HIPAA Compliance
OculiRX is committed to protecting the privacy and security of your Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Technical Safeguards
Encryption at Rest
All patient data is encrypted using AES-256 via AWS KMS customer-managed keys. Database (PostgreSQL) and object storage (S3) both use server-side encryption.
Encryption in Transit
All data transmitted between your device and our servers uses TLS 1.3 encryption. HSTS headers enforce HTTPS connections.
Access Control
Role-based access control (RBAC) with 8 distinct roles and 34+ granular permissions. Two-factor authentication (TOTP) available for all accounts.
Audit Logging
Every access to PHI is logged with user ID, timestamp, IP address, and action type. Audit logs are retained for 6 years per HIPAA requirements.
Administrative Safeguards
- Designated Privacy and Security Officers
- Regular security risk assessments
- Employee training on HIPAA compliance
- Business Associate Agreements (BAAs) with all vendors
- Incident response procedures for potential breaches
- Data retention and disposal policies
Physical Safeguards
- Infrastructure hosted on AWS with SOC 2 Type II certification
- Database in isolated VPC with no public internet access
- S3 buckets with public access blocked and SSL enforced
- Automated backups with 7-day retention and deletion protection
Patient Rights
- Right to access your health records
- Right to request corrections to your records
- Right to receive an accounting of disclosures
- Right to request restrictions on use of your PHI
- Right to file a complaint with HHS Office for Civil Rights
Contact
For HIPAA-related inquiries or to exercise your patient rights:
Privacy Officer: Ryan Wentzel
Email: privacy@oculirx.com
Entity: Centaris Health Inc.