HIPAA Compliance Statement

1. Our Commitment to Data Security & HIPAA

At Clausea, we understand that protecting healthcare information is a critical component of serving the healthcare community. We are fully committed to protecting the privacy, confidentiality, and integrity of Protected Health Information (PHI). Our systems and processes are engineered from the ground up to ensure strict alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

This HIPAA Compliance Statement outlines the specific administrative, physical, and technical safeguards Clausea has implemented to maintain the security and privacy of healthcare data entrusted to us by our customers.

2. Business Associate Agreements (BAAs)

Under HIPAA regulations, Clausea acts as a Business Associate for our customers, who are generally "Covered Entities" (including health systems, hospitals, clinics, individual practitioners, and medical billing agencies). As a Business Associate, we recognize our direct legal liability and responsibility to protect PHI.

To satisfy HIPAA requirements and formalize our security commitments, Clausea executes standard, robust Business Associate Agreements (BAAs) with all of our Covered Entity customers. Our BAA outlines:

• Our obligations to protect PHI in accordance with HIPAA Rules.
• Permitted and restricted uses and disclosures of PHI.
• Reporting requirements in the unlikely event of a security incident or breach.
• Obligations regarding data deletion or return upon termination of service.

You can request and execute our standard BAA by contacting our compliance team through our Contact Page or emailing us at compliance@clausea.us.

3. Technical Safeguards

We employ advanced technical safeguards to protect PHI from unauthorized access, loss, or alteration:

A. Encryption Protocols

• Data-at-Rest: All data stored in our databases or storage buckets is encrypted using industry-standard Advanced Encryption Standard (AES) with 256-bit keys (AES-256). Stored data is hosted via HIPAA-compliant cloud database systems, including Supabase and AWS RDS, utilizing managed KMS keys with automatic rotation.
• Data-in-Transit: All communication between browser clients, our browser extension, and our secure backend APIs is encrypted using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) versions 1.3 or 1.2 with strong cipher suites to prevent interception or modification of data.

B. Identity & Access Management

• Role-Based Access Control (RBAC): Clausea enforces strict RBAC rules. System and data access are granted under the principle of "least privilege"—only personnel with a verified business need can access resources necessary to perform their specific job functions.
• Multi-Factor Authentication (MFA): MFA is strictly enforced across all internal employee accounts, hosting platforms, and development infrastructure. No employee can access internal networks or servers containing customer data without passing multi-factor challenges.
• Access Controls and Session Timeouts: Our administrative consoles and user portals feature automatic session timeouts (such as 15 minutes of inactivity) and unique user identifiers to prevent unauthorized sessions.

C. Audit and Logging Controls

• Comprehensive Audit Trails: Our systems log details of every touchpoint, user login, data access, record modification, and API submission. These audit logs are stored securely, are immutable, and are continuously reviewed to identify any unauthorized or suspicious activity.
• Vulnerability Monitoring: We perform automated dependency checks, vulnerability scans, and continuous threat detection on our secure networks to proactively discover and resolve security gaps.

4. Administrative Safeguards

Our administrative policies and procedures are designed to foster a culture of compliance and continuous risk mitigation:

A. Personnel Training

Every Clausea employee and contractor undergoes mandatory annual HIPAA compliance training. This training covers the identification of PHI, proper data handling procedures, password hygiene, social engineering defenses, and our internal security policies. Access to production systems is restricted until training is fully completed and verified.

B. Incident Response & Security Incident Management

Clausea has formulated a comprehensive Incident Response and Disaster Recovery Plan. In the highly unlikely event of a security incident, data breach, or unauthorized exposure of PHI, our team is trained to execute a rapid response protocol. We will identify, contain, investigate, and remediate the incident immediately.

Under HIPAA guidelines, Clausea will notify affected Covered Entities of any verified data breach involving unsecured PHI without unreasonable delay and in no event later than 60 days of discovery (or sooner as dictated by specific state laws or BAA stipulations, typically within 24 to 72 hours of verification).

C. Regular Security Risk Analyses

We perform regular security risk assessments to evaluate the effectiveness of our physical, technical, and administrative safeguards. Findings from these assessments are used to refine and enhance our security posture, keeping pace with evolving cybersecurity threats.

5. Physical Safeguards

While Clausea is a cloud-based software provider and does not maintain physical on-premise servers containing patient data, we ensure our cloud hosts provide premium physical protection:

• SOC 2 Certified Data Centers: Our secure cloud infrastructure is hosted by world-class cloud service providers (including AWS, Supabase, and Vercel). Their physical servers are housed in Tier III or Tier IV, SOC 2 Type II certified data centers.
• 24/7 Physical Protection: These data centers employ rigorous physical safeguards, including 24/7 biometric authentication, video surveillance logs, physical barriers, security guards, and advanced environmental disaster mitigation (fire suppression, backup generators, and climate controls).

6. Data Minimization & AI Privacy Policy

Clausea leverages artificial intelligence to analyze billing claim denials and generate clinical appeals. Our AI pipeline is engineered with data minimization as a core design principle:

• Zero Persistent Storage of Unstructured Records: Clausea does not persistently store raw, unstructured patient medical files on our servers. Patient files or appeal documents processed by our tool are parsed in memory, securely processed, and can be promptly deleted after your session.
• Redaction Capabilities: We encourage healthcare providers to redact direct patient identifiers (such as patient names, Social Security Numbers, and exact home addresses) before submitting materials to our lookup utilities. The minimum necessary standard is applied to all processed data.
• Private AI Partnerships: The Large Language Models (LLMs) used by Clausea are accessed through dedicated enterprise APIs that explicitly operate under strict Zero Data Retention (ZDR) agreements. No patient data or health information submitted to Clausea is ever retained by our AI partners or used to train public language models.

7. Contact and Compliance Inquiries

If you have any questions about our security controls, need to execute a Business Associate Agreement, or want to report a potential vulnerability or incident, please contact our Compliance Officer:

Clausea Compliance Office
Email: compliance@clausea.us
Contact Form: Clausea Contact Page