HIPAA Policy
This HIPAA Policy describes how The Force for Health Network ("FFH") protects Protected Health Information ("PHI") handled through our Services, including the Live It Trackers and any other HIPAA-covered tools. When FFH acts as a Business Associate to a Covered Entity (for example, a health system, health plan, or clinical partner), we comply with the HIPAA Privacy, Security, and Breach Notification Rules.
1. Scope
This Policy applies to any Protected Health Information that FFH creates, receives, maintains, or transmits on behalf of a Covered Entity, and to health information voluntarily contributed by participants through consumer-facing FFH tools in a manner that renders it PHI-equivalent and subject to equivalent safeguards.
2. Administrative Safeguards
- Designated HIPAA Privacy and Security Officers with documented roles and responsibilities.
- Workforce training on PHI handling upon onboarding and annually thereafter.
- Access provisioned on a least-privilege basis; quarterly access reviews.
- Business Associate Agreements (BAAs) with every subcontractor that may access PHI.
- Formal Incident Response procedures; 24-hour customer notification SLA for any suspected breach.
- Internal compliance audits on an established quarterly cadence; annual third-party review planned.
3. Technical Safeguards
- Encryption at rest: AES-256 for all PHI storage.
- Encryption in transit: TLS 1.2 or higher on all endpoints.
- Authentication: JWT-based session tokens via our authentication provider.
- No PHI in client-side browser storage: PHI_SAFE_MODE blocks any local storage of PHI when a user is authenticated.
- Audit logging: immutable audit_log entry on every create, read, update, and delete of PHI within HIPAA-covered tools.
- Session management: automatic sign-out after 30 minutes of inactivity, with warning at 25 minutes.
- Database security: Row-Level Security policies enforce isolation between users and organizations.
- Consent gate: writes to PHI stores are blocked until a valid consent_records entry is present for that user.
4. Physical Safeguards
FFH's production infrastructure is operated through cloud providers with SOC 2-aligned controls (Supabase for database and auth, Vercel for application hosting). Providers maintain physical safeguards including 24/7 facility monitoring, access controls, and environmental protections documented in their respective attestations and BAAs.
5. Business Associate Agreements
FFH maintains BAAs with every subcontractor that may access PHI. Current BAAs on file or in execution include: Supabase (database and authentication), Zoom (if used for PHI-related video sessions), Google Workspace (if PHI is transmitted by email), and any health system partner for which FFH serves as a Business Associate. FFH maintains an internal Vendor BAA Registry.
6. Breach Notification
In the event of a known or suspected breach of unsecured PHI, FFH will: (1) investigate and contain the incident; (2) notify affected Covered Entities within 24 hours of discovery; (3) cooperate with notifications to affected individuals, the Secretary of HHS, and, where required, media, within the timeframes mandated by 45 CFR ยงยง 164.404โ164.408.
7. Individual Rights
Individuals whose PHI is processed by FFH on behalf of a Covered Entity may exercise their HIPAA rights โ access, amendment, accounting of disclosures, restriction, confidential communications โ through the Covered Entity. For consumer-facing PHI-equivalent data that individuals have contributed directly to FFH, equivalent rights are supported through the Privacy Policy and may be exercised via privacy@forceforhealth.com.
8. Request a BAA
Covered Entities seeking to enter a Business Associate Agreement with FFH should contact compliance@forceforhealth.com. FFH maintains a standard BAA template and is prepared to negotiate institutional templates as required.
9. Contact
HIPAA Privacy Officer: privacy@forceforhealth.com
HIPAA Security Officer: security@forceforhealth.com
General Compliance: compliance@forceforhealth.com