HIPAA Compliance
Last updated: March 14, 2026
1. Overview
ARXIO Health is designed with healthcare data privacy as a foundational principle. Our API architecture minimizes exposure to Protected Health Information (PHI) while providing comprehensive clinical decision support capabilities.
2. PHI Handling
Zero-persistence architecture
API request payloads containing patient data (age, weight, medications, allergies) are processed entirely in-memory. No PHI is written to disk, logged, cached, or stored beyond the lifecycle of the individual API request. Response payloads contain clinical recommendations only — no patient identifiers are echoed back.
3. Technical Safeguards
- EEncryption in Transit
All API traffic is encrypted via TLS 1.3. HSTS is enforced with a minimum max-age of 1 year. Certificate pinning is available for Enterprise customers.
- AAccess Controls
API key authentication with SHA-256 hashing. Role-based access within organizations. IP allowlisting available on Enterprise plans.
- LAudit Logging
All API access is logged with timestamps, source IPs, and response codes. Logs are retained for 12 months and available to Enterprise customers on request.
- IInfrastructure Isolation
Enterprise deployments can be provisioned on dedicated infrastructure with network-level isolation, private endpoints, and customer-managed encryption keys.
4. Business Associate Agreement (BAA)
A HIPAA Business Associate Agreement is available for all Enterprise plan customers. The BAA covers ARXIO Health's obligations as a business associate when processing PHI through our API endpoints. To request a BAA, contact [email protected].
5. Breach Notification
In the unlikely event of a security incident involving PHI, ARXIO Health will notify affected covered entities within 24 hours of discovery, provide a detailed incident report within 72 hours, and cooperate fully with breach investigation and remediation efforts as required under the HITECH Act.
6. Employee Training
All ARXIO Health team members with access to production systems complete annual HIPAA training, background checks, and sign confidentiality agreements. Access to infrastructure is provisioned on a least-privilege basis with MFA enforcement.
7. Subprocessors
Our infrastructure subprocessors who may process data on behalf of customers:
| Provider | Purpose | Certification |
|---|---|---|
| Railway | API hosting | SOC 2 Type II |
| Cloudflare | DNS / DDoS protection | SOC 2 Type II, ISO 27001 |
| Stripe | Payment processing | PCI DSS Level 1 |
8. Contact
For compliance inquiries or to request a BAA, contact our compliance team at [email protected].