HIPAA
COMPLIANT

Compliance & Security

AmyloidOps is designed from the ground up to meet the rigorous security and privacy requirements of healthcare organizations managing anti-amyloid immunotherapy programs.

HIPAA Compliance

AmyloidOps operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We maintain comprehensive compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Business Associate Agreements

We execute Business Associate Agreements (BAAs) with all covered entity customers before any Protected Health Information (PHI) is processed. Our BAAs define the permitted uses and disclosures of PHI, security obligations, breach notification procedures, and data return or destruction upon termination.

Minimum Necessary Standard

AmyloidOps enforces the HIPAA minimum necessary standard through role-based access controls. Users can only access the patient data required for their specific role within the therapy program. Site-level data isolation ensures that users at one clinical site cannot access data from another site unless explicitly authorized.

Breach Notification

In the unlikely event of a data breach involving PHI, AmyloidOps will notify affected covered entities without unreasonable delay and no later than sixty (60) days following discovery of the breach, as required by the HIPAA Breach Notification Rule. Notifications include a description of the breach, the types of information involved, recommended protective steps, and our remediation actions.

Security Safeguards

We implement a comprehensive set of safeguards aligned with HIPAA Security Rule requirements and industry best practices.

Technical Safeguards

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit
  • Role-based access controls with site-level isolation
  • Automatic session timeout and secure authentication
  • Regular vulnerability scanning and penetration testing
  • Multi-tenant architecture with logical data separation

Administrative Safeguards

  • Designated privacy and security officers
  • Workforce training on HIPAA and data handling
  • Documented policies and procedures for all PHI operations
  • Regular risk assessments and compliance audits
  • Incident response and breach notification procedures
  • Business Associate Agreements with all subcontractors

Physical Safeguards

  • SOC 2 Type II certified cloud infrastructure
  • Geographically redundant data centers within the United States
  • Physical access controls and surveillance at data centers
  • Environmental protections (fire suppression, climate control)
  • Automated backups with encrypted off-site storage
  • Disaster recovery with defined RPO and RTO targets

Audit Trail & Accountability

Every action taken within AmyloidOps is recorded in a comprehensive, tamper-resistant audit log. This includes:

  • User authentication events (login, logout, failed attempts)
  • All data access, creation, modification, and deletion events
  • Clinical workflow state transitions (clearances, holds, overrides)
  • Administrative actions (role changes, site assignments)
  • Data exports and report generation

Audit logs are retained for a minimum of six (6) years and are available for export by authorized administrators for compliance reviews and regulatory inquiries.

Data Residency & Infrastructure

All AmyloidOps data, including PHI, is stored exclusively within the United States. Our infrastructure is hosted on SOC 2 Type II certified cloud platforms with:

  • Geographically redundant data centers for high availability
  • Automated backups with point-in-time recovery capabilities
  • 99.9% uptime SLA for production environments
  • Isolated database instances per customer for data segregation

Third-Party Subprocessors

AmyloidOps uses a limited set of third-party service providers to operate the Service. All subprocessors that handle PHI are bound by Business Associate Agreements and are evaluated for their security and compliance posture. Key categories include:

  • Cloud infrastructure: Hosting, compute, and database services (US-based, SOC 2 certified)
  • Email delivery: Transactional email for system notifications (no PHI in email content)
  • Authentication: Secure identity and session management

A complete list of subprocessors is available to customers upon request and is included as an exhibit to the BAA.

Incident Response

AmyloidOps maintains a documented incident response plan that includes:

  • 24/7 monitoring of infrastructure and application security events
  • Defined escalation procedures and response team roles
  • Root cause analysis and remediation for all security incidents
  • Post-incident review and process improvement
  • Communication protocols for notifying affected parties

Regulatory Alignment

In addition to HIPAA, AmyloidOps is designed with awareness of the following regulatory frameworks:

  • HITECH Act: Enhanced enforcement and breach notification requirements
  • 42 CFR Part 2: Protections for substance use disorder records where applicable
  • State privacy laws: Compliance with state-level health data privacy requirements
  • CMS/CED requirements: Support for Coverage with Evidence Development data collection and reporting

Questions & Requests

For compliance inquiries, BAA requests, or security assessments, please contact us:

AmyloidOps Compliance Team
Email: compliance@amyloidops.com

See also our Privacy Policy and Terms of Service.