Your Patient Data, Secured to the Highest HIPAA Standard
OBGYNBillingPro is built on the 2026 HIPAA Security Rule — including all controls previously designated as “addressable” that are now mandatory.
What Changed in 2026
HIPAA Security Rule 2026 Updates
All Specifications Now Mandatory
The 2026 HIPAA Security Rule update removes the distinction between "required" and "addressable" specifications. All prior addressable controls are now mandatory.
Phishing-Resistant MFA Required
SMS-based authentication no longer satisfies HIPAA MFA requirements. Only FIDO2 hardware keys and TOTP authenticator apps are compliant.
Ransomware Response Plan Mandatory
Covered entities must maintain a documented ransomware incident response plan, including restoration procedures from immutable backups.
Immutable Audit Log Requirement
Audit logs must be stored in an immutable format (WORM) to prevent deletion or tampering. Our S3-based audit storage meets this requirement.
Our Technical & Administrative Safeguards
AES-256 Encryption at Rest
All ePHI stored in AWS RDS and S3 is encrypted with AES-256 using AWS KMS-managed keys. Key rotation is automated annually.
TLS 1.3+ in Transit
All data in transit between clients, our servers, and third-party vendors uses TLS 1.3 or higher. TLS 1.0/1.1 are disabled at the load-balancer level.
FIDO2 / TOTP MFA
Phishing-resistant multi-factor authentication is mandatory for all portal users. SMS-only MFA is prohibited. FIDO2 hardware keys and TOTP apps are supported.
Role-Based Access Control
Least-privilege RBAC with three roles: Admin, Staff, and Client. Row-Level Security (RLS) ensures each practice sees only its own data.
Immutable WORM Audit Logs
All access and modification events are written to immutable Write Once Read Many (WORM) audit logs. Hot storage: 90 days. Cold archive: S3 Glacier.
15-Minute Session Timeout
Portal sessions auto-expire after 15 minutes of inactivity. Access tokens expire after 15 minutes; refresh tokens expire after 7 days.
ClamAV Malware Scanning
Every file uploaded through the portal is scanned by ClamAV before being moved to permanent S3 storage. Infected files are quarantined and flagged.
S3 Pre-Signed URLs Only
Files never pass through the application server. Clients upload directly to S3 via pre-signed URLs (5-minute expiry). Direct streaming through the app server is forbidden.
Zero PHI in Logs / Analytics
No patient health information is written to application logs, error tracking (Sentry), analytics (PostHog), or console output. All error messages are sanitized before logging.
Rate Limiting on Auth Endpoints
Login, password reset, and API lead endpoints are rate-limited at 5 requests per IP per 15 minutes using Upstash Redis-backed rate limiting.
BAA with All ePHI Vendors
Business Associate Agreements are signed with every vendor that handles ePHI: AWS (S3, RDS), Resend, Vercel, and all authentication providers.
60-Day Breach Notification
In the event of a breach, affected practices and individuals are notified within 60 days per the HIPAA Breach Notification Rule. We maintain a documented notification workflow.
Business Associate Agreement (BAA)
OBGYNBillingPro serves as your Business Associate under HIPAA. We provide a signed BAA before any ePHI is shared, and we maintain BAAs with every downstream vendor that touches your data — including AWS, Resend, and our authentication provider.
Request a BAA →Questions About Our HIPAA Compliance?
Contact our compliance team at support@obgynbillingpro.com
Last reviewed: April 2026