HIPAA & HITRUST
Status: BAA not signed · HITRUST not pursued · last updated 27 May 2026
Glassbreak does not currently sign Business Associate Agreements and is not suitable for processing Protected Health Information (PHI) today. If you are a Covered Entity or a Business Associate under HIPAA, please do not enter PHI into the Service. This page explains our current posture, what would need to change, and our reasoning.
The honest answer
The encryption story is strong: secret, contact, and message content is encrypted on the user's device with AES-256-GCM and we cannot read it. That is a meaningful technical safeguard. However, HIPAA compliance is not solved by encryption alone — it requires a signed BAA, documented Administrative Safeguards, a tested incident response procedure, audit log integrity controls, and operating evidence over time. We do not yet have the full set, and the cost of getting them wrong in healthcare is too high to pretend otherwise.
We will not sign a BAA until the gaps below are closed and we have operated the additional controls long enough to defend them in an OCR investigation. If a healthcare customer becomes a strategic priority we will publish a target date on this page.
HIPAA in one paragraph
HIPAA (the Health Insurance Portability and Accountability Act, US 1996, as amended by HITECH 2009) regulates Protected Health Information handled by Covered Entities (providers, plans, clearinghouses) and their Business Associates(vendors who handle PHI on a Covered Entity's behalf). The Security Rule (45 CFR §§ 164.302–318) requires Administrative, Physical, and Technical Safeguards. A Business Associate Agreement (BAA) is the contractual instrument that flows these obligations to vendors.
Security Rule — Technical Safeguards (§ 164.312)
Closest to ready. Glassbreak's design satisfies most technical standards.
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| § 164.312(a)(2)(i) | Unique user identification | Met | Every account has a unique identifier; shared accounts are prohibited. |
| § 164.312(a)(2)(ii) | Emergency access procedure | Met | Met by design — the platform IS an emergency access procedure for credential recovery. |
| § 164.312(a)(2)(iii) | Automatic logoff | Met | Logout route mounted (audit finding C-1 resolved). Mobile app-lock timeout with biometric unlock; web session timeout server-enforced; family-based refresh-token reuse detection. |
| § 164.312(a)(2)(iv) | Encryption and decryption | Met | Content encrypted on device with AES-256-GCM; keys derived from passphrase via scrypt and split via Shamir for quorum recovery. |
| § 164.312(b) | Audit controls | Partial | Audit log captures access and modification events; tamper-evident chain (S3 Object Lock mirror + hash chain) not yet implemented. An admin can currently call deleteOldAuditLogs — would be a HIPAA finding. |
| § 164.312(c)(1) | Integrity | Met | AES-256-GCM provides authenticated encryption with associated data; tampering fails decryption. |
| § 164.312(d) | Person or entity authentication | Met | Argon2id passwords; TOTP and WebAuthn MFA; refresh-token family-based reuse detection. |
| § 164.312(e)(2)(i) | Transmission security — integrity controls | Met | TLS 1.2+ with authenticated cipher suites. |
| § 164.312(e)(2)(ii) | Transmission security — encryption | Met | TLS 1.2+ enforced; HSTS preloaded. |
Security Rule — Administrative Safeguards (§ 164.308)
The largest gap. Administrative Safeguards are about people and process and require documented policies that have been in operation for a defensible period.
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| § 164.308(a)(1) | Security management process — risk analysis & management | Met | Risk Treatment Plan at /policies/risk-treatment-plan with methodology, register, owners, and target dates; annual review at /policies/cadences/technical-evaluation. |
| § 164.308(a)(1)(ii)(C) | Sanction policy | Met | Documented Sanctions and Disciplinary Policy at /policies/sanctions covering minor, material, and gross violations with proportionate sanctions and right of appeal. |
| § 164.308(a)(1)(ii)(D) | Information system activity review | Met | Quarterly /policies/cadences/access-review (signed record of every grant vs. current role) + quarterly /policies/cadences/management-review (signed minutes). |
| § 164.308(a)(2) | Assigned security responsibility | Met | Security Officer designated as accountable owner of every policy at /policies and named in /policies/information-security §4. |
| § 164.308(a)(3)–(4) | Workforce security & access management | Met | Workforce-clearance procedure at /policies/onboarding §3 (background checks, references, contracts). Access management at §4.2 (least-privilege grants, MFA, access register). |
| § 164.308(a)(5) | Security awareness and training | Met | Mandatory programme: security briefing on Day 1, formal training in first 30 days, annual refresh thereafter — per /policies/onboarding §§4.3, 5, 8. |
| § 164.308(a)(6) | Security incident procedures | Met | Documented at /policies/incident-response covering detection, triage, containment, recovery, customer notification (24h for SEV-1, 72h for personal-data breaches), and post-mortem. |
| § 164.308(a)(7) | Contingency plan | Met | BCP/DR plan at /policies/business-continuity with RTO 15 min, RPO 5 min, 22 nightly DR test scenarios, and scenario-specific recovery procedures. |
| § 164.308(a)(8) | Evaluation | Met | Annual technical evaluation at /policies/cadences/technical-evaluation: control-by-control re-test producing a dated report comparing prior year to current. |
| § 164.308(b)(1) | Business associate contracts | Gap | We do not currently sign BAAs and have not signed BAAs with our sub-processors (AWS, Neon, Scaleway, Fastly, Postmark/SES all offer BAAs to qualifying customers; this work has not been done). |
Security Rule — Physical Safeguards (§ 164.310)
Production physical security is delegated to our sub-processors. Each will need a signed BAA before we can sign one to a Covered Entity.
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| § 164.310(a)(1) | Facility access controls | Met | Inherited from cloud sub-processors; BAAs with them required before we can flow this through to a Covered Entity. |
| § 164.310(b) | Workstation use | Met | Managed workstations with FDE, OS-managed firewall, automatic updates, 5-min screen-lock — per /policies/onboarding §4.1. |
| § 164.310(c) | Workstation security | Met | Same controls as § 164.310(b); clear-desk and clear-screen expectations covered in the Day-1 security briefing. |
| § 164.310(d)(1) | Device and media controls | Met | Device wipe and re-imaging procedure documented at /policies/offboarding §§5, 7. Cryptographic erasure for media before reuse. |
Privacy Rule (§§ 164.500–534)
The Privacy Rule applies primarily to Covered Entities, with downstream obligations on Business Associates limited to the uses and disclosures permitted by the BAA. Glassbreak's zero-knowledge architecture means we cannot disclose plaintext PHI even if compelled — we do not hold the decryption keys — which is a strong defence but does not substitute for the documented uses-and-disclosures policy a BAA requires.
Breach Notification Rule (§§ 164.400–414)
HIPAA requires Business Associates to notify Covered Entities of a breach without unreasonable delay and in no case later than 60 days after discovery. Our published DPA commits to 72-hour notification under GDPR; we will tighten this to the HIPAA standard before signing any BAA. Notification content requirements (nature of breach, types of unsecured PHI, steps individuals should take, what we are doing to mitigate) need to be added to our incident-response procedure.
HITECH amendments and Enforcement Rule
- Enforcement penalties up to $1.5M/year per violation category; intentional violations may include criminal liability.
- Annual reporting to HHS of breaches affecting 500+ individuals within 60 days; breaches under 500 reported annually.
- Required-by-law disclosure logging.
HITRUST CSF — when it matters and where we sit
HITRUST CSF is a prescriptive control framework that maps to HIPAA, HITECH, NIST, ISO 27001, PCI-DSS, GDPR, and others. Many US health systems require their vendors to hold HITRUST certification because it lets the health system skip its own vendor risk assessment.
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| e1 | HITRUST Essentials — 44 controls, 1-year cycle | Gap | Entry-level certification for low-inherent-risk vendors. Not pursued in 2026; would be the realistic first HITRUST step. |
| i1 | HITRUST Implemented — 182 controls, 1-year cycle | Gap | The common SaaS-vendor certification for moderate-risk vendors. Not pursued in 2026. |
| r2 | HITRUST Risk-based — 200–2,000 controls, 2-year cycle with interim | Gap | Gold standard required by most US hospital systems and Blue Cross / Blue Shield plans. Not pursued. Assessor fees alone $150k–$500k. |
If you are a healthcare buyer
- Do not enter PHI into the platform today. The technical controls would protect it but the contractual and procedural surround is incomplete; using a non-BAA vendor for PHI is itself a HIPAA violation.
- The platform is appropriate for operational secrets (cloud credentials, infrastructure passwords, application secrets) that are not PHI, even at a Covered Entity. This is the most common use case.
- If you need BAA coverage, write to compliance@glassbreak.io with your projected contract value and timeline. We will give you an honest answer on whether we can prioritise the work in your buying window.
Path if we pursue it
- Months 0–3 — Sign BAAs with our sub-processors; draft policies (incident response, sanction, training, contingency); implement tamper-evident audit log; mount logout route; close the audit-log retention loophole; harden admin impersonation.
- Months 3–6 — Operate the new controls; complete first formal risk analysis; run a tabletop incident exercise; run security awareness training.
- Month 6 — Begin offering BAAs to qualifying customers.
- Months 6–18 — Pursue HITRUST i1 if customer demand justifies; HITRUST r2 only with a committed healthcare enterprise contract.
Healthcare regulation is a domain where false-confidence is dangerous. If anyone at Glassbreak — sales, support, or otherwise — represents that the Service is HIPAA-ready or BAA-eligible before this page is updated to say so, that representation is wrong. Email compliance@glassbreak.io and we will correct it immediately.