HIPAA

Last updated: 2026-04-11 • ← All frameworks

Overview

The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (the Privacy, Security, and Breach Notification Rules) apply to US healthcare entities and their business associates that create, receive, maintain, or transmit Protected Health Information (PHI). Customers operating in regulated healthcare contexts may process PHI on the Backbuild platform only under an executed Business Associate Agreement with Gable Digital Solutions, Inc.

Current status

HIPAA-aligned — BAA available

Gable Digital Solutions, Inc. has implemented controls aligned to the HIPAA Security Rule on the Backbuild platform and offers a Business Associate Agreement to qualifying customers. Without an executed BAA, PHI may not be uploaded, stored, or processed on the platform, and the service must be used for non-PHI workloads only.

Administrative safeguards (§164.308)

• Security management process: documented risk analysis, risk management plan, sanction policy, and information system activity review.
• Workforce security and access management: role-based authorization, background checks, onboarding and termination procedures, and periodic access reviews.
• Security awareness and training: mandatory onboarding training and annual refresher training for all workforce members with access to systems that may process PHI.
• Contingency planning: data backup plan, disaster recovery plan, emergency mode operations plan, and periodic testing.
• Security incident procedures: documented incident response runbooks, severity classification, and post-incident review.

Physical safeguards

Gable Digital Solutions, Inc. does not operate its own physical data centers. The Backbuild platform's infrastructure runs on Cloudflare, which publishes its own SOC 2 and ISO 27001 reports available from Cloudflare directly. Gable Digital Solutions, Inc.'s own SOC 2 Type II and ISO 27001 certifications are in progress; see the compliance overview for current status. Cloudflare's facility controls — covering facility access controls, workstation security, device and media controls, and environmental protections — are documented in our shared responsibility matrix.

Technical safeguards (§164.312)

• Access control: unique user identification, emergency access procedures, automatic session logoff, and encryption and decryption of PHI at rest and in transit.
• Audit controls: tamper-evident hash-chained audit logs of access to and activity on systems that may contain PHI, retained according to contractual and regulatory requirements.
• Integrity: mechanisms to authenticate and detect improper alteration or destruction of electronic PHI, including cryptographic integrity checks on audit records and backups.
• Transmission security: TLS 1.2 or higher for all data in transit, with modern cipher suites and certificate management.

Breach notification

In the event of a confirmed or suspected breach of unsecured PHI, Backbuild will notify affected BAA signatories within 24 hours of discovery and provide a written report containing the information required by §164.410 within 60 days, including the nature of the breach, the PHI involved, mitigation steps taken, and recommendations for the covered entity's notification obligations.

Business Associate Agreement

A standard Business Associate Agreement is available on request to qualifying customers. The BAA defines permitted uses and disclosures, safeguards, reporting obligations, subcontractor requirements, and termination provisions consistent with 45 CFR §164.504(e). See our BAA page for the current template and instructions.

No BAA, no PHI. Customers without an executed BAA must not upload or process PHI on the platform.