HIPAA Compliance

Effective Date: March 13, 2026  |  Last Updated: March 13, 2026

1. Our Commitment to HIPAA Compliance

DatoBridge, Inc. ("DatoBridge," "we," "us," or "our") is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, the "HIPAA Rules").

This page describes our compliance program, the safeguards we implement, and how we fulfill our obligations as a Business Associate under the HIPAA Rules. It is intended to provide transparency to our customers — including covered entities and their business associates — about our approach to healthcare data protection.

2. HIPAA Overview

2.1 What Is HIPAA

HIPAA is a federal law that establishes national standards for the protection of individually identifiable health information. The HIPAA Rules include:

  • Privacy Rule (45 CFR Part 160 and Subparts A, E of Part 164): Establishes standards for the use and disclosure of PHI and grants individuals rights over their health information.
  • Security Rule (45 CFR Part 160 and Subparts A, C of Part 164): Requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI ("ePHI").
  • Breach Notification Rule (45 CFR Part 160 and Subpart D of Part 164): Requires notification to affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
  • HITECH Act: Strengthens HIPAA enforcement, extends direct liability to business associates, and increases penalties for non-compliance.

2.2 What Is PHI

Protected Health Information is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. PHI includes 18 categories of identifiers (such as names, dates, Social Security numbers, medical record numbers, and health plan beneficiary numbers) when linked to health information.

3. Our Role as a Business Associate

When DatoBridge processes, transmits, or otherwise handles PHI on behalf of a covered entity (such as a health plan, healthcare clearinghouse, or healthcare provider) or another business associate, we function as a Business Associate under HIPAA.

As a Business Associate, DatoBridge is directly subject to the HIPAA Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule. We accept and fulfill these obligations through:

  • Execution of Business Associate Agreements ("BAAs") with all applicable customers.
  • Implementation of comprehensive administrative, physical, and technical safeguards.
  • Ongoing risk analysis and compliance monitoring.
  • Workforce training on HIPAA policies and procedures.

4. Zero PHI Storage Architecture

A foundational element of our HIPAA compliance program is our zero PHI storage architecture. DatoBridge is designed so that PHI is never persisted on our infrastructure:

  • Pass-Through Streaming: Healthcare data is fetched from source systems (payor portals, SFTP servers, EMR systems) and streamed directly to the customer's designated storage destination. Data passes through DatoBridge in encrypted memory buffers and is not written to disk.
  • No PHI at Rest: Because PHI is never stored on DatoBridge systems, the risk of a data breach involving stored PHI is eliminated at the architectural level.
  • Metadata Only: DatoBridge retains only operational metadata (file names, timestamps, transfer status, file sizes) necessary for audit logging, job management, and customer reporting. This metadata does not contain clinical or individually identifiable health information.

This architecture significantly reduces the attack surface and minimizes the scope of PHI exposure, providing a security posture that exceeds what many conventional data processing platforms offer.

5. Administrative Safeguards

In accordance with 45 CFR 164.308, DatoBridge maintains the following administrative safeguards:

5.1 Security Management Process

  • Risk Analysis: We conduct comprehensive risk assessments at least annually and whenever significant changes are made to our systems or operations. These assessments identify potential threats and vulnerabilities to ePHI and inform our risk mitigation strategies.
  • Risk Management: We implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level.
  • Sanction Policy: We maintain and enforce a sanction policy for workforce members who violate our HIPAA policies and procedures.
  • Information System Activity Review: We regularly review audit logs, access reports, and security incident tracking reports.

5.2 Assigned Security Responsibility

DatoBridge has designated a HIPAA Security Officer who is responsible for the development and implementation of our HIPAA Security Rule compliance program, including policies, procedures, and safeguards.

5.3 Workforce Security and Training

  • All workforce members complete HIPAA security and privacy training upon hire and annually thereafter.
  • Access to systems that may encounter PHI is restricted to authorized personnel based on job function and the minimum necessary standard.
  • Workforce members are subject to background checks and must acknowledge our HIPAA policies in writing.
  • Procedures are in place to terminate access promptly when a workforce member's employment ends or their role changes.

5.4 Contingency Planning

  • Data Backup Plan: While DatoBridge does not store PHI, we maintain backup procedures for our operational systems and configurations.
  • Disaster Recovery Plan: Documented procedures for restoring any lost data and service functionality following an emergency or disaster.
  • Emergency Mode Operation Plan: Procedures to enable continuation of critical business processes during an emergency.
  • Testing and Revision: Contingency plans are tested periodically and revised based on test results.

5.5 Evaluation

We perform periodic technical and non-technical evaluations to assess the extent to which our security policies and procedures meet the requirements of the HIPAA Security Rule, based on standards implemented and any environmental or operational changes.

6. Physical Safeguards

In accordance with 45 CFR 164.310, DatoBridge maintains the following physical safeguards:

  • Cloud Infrastructure: DatoBridge services are hosted on enterprise-grade cloud infrastructure providers that maintain SOC 2 Type II, ISO 27001, and HIPAA-compliant data center certifications. These facilities employ multi-layered physical security controls including biometric access, 24/7 surveillance, and environmental controls.
  • Workstation Security: Employee workstations are encrypted, require multi-factor authentication, and are subject to automatic screen lock policies. Remote access requires VPN with MFA.
  • Device and Media Controls: Procedures govern the receipt, removal, and disposal of hardware and electronic media. All storage media are securely wiped or destroyed before disposal.

7. Technical Safeguards

In accordance with 45 CFR 164.312, DatoBridge implements the following technical safeguards:

7.1 Access Controls

  • Unique User Identification: Each user is assigned a unique identifier for tracking system access and activity.
  • Role-Based Access Control (RBAC): Access permissions are granted based on organizational role and the minimum necessary standard.
  • Multi-Factor Authentication (MFA): MFA is required for all access to production systems and administrative consoles.
  • Automatic Logoff: Sessions are automatically terminated after a defined period of inactivity.
  • Emergency Access Procedure: Documented procedures exist for obtaining access to ePHI during an emergency.

7.2 Encryption

  • Data in Transit: All data transmissions are encrypted using TLS 1.2 or higher. PHI streams are further encrypted using AES-256-GCM.
  • Data at Rest: While DatoBridge does not store PHI, all operational data, credentials, and configurations are encrypted at rest using AES-256-GCM with per-organization key derivation via HKDF.
  • Key Management: Encryption keys are managed through a secure key management system with regular rotation schedules and strict access controls.

7.3 Audit Controls

  • Comprehensive audit logging records all system access, data transfers, configuration changes, and security-relevant events.
  • Audit logs are immutable, tamper-evident, and retained in accordance with our retention policies and applicable legal requirements.
  • Logs are reviewed regularly and monitored for anomalous activity using automated alerting systems.

7.4 Integrity Controls

  • Mechanisms are in place to authenticate ePHI and verify that it has not been altered or destroyed in an unauthorized manner during transmission.
  • Checksums and hash verification are used to ensure data integrity during pass-through streaming operations.

7.5 Transmission Security

  • All network communications involving PHI are encrypted end-to-end.
  • SFTP connections use SSH-2 with strong cipher suites and key-based authentication.
  • API communications are conducted exclusively over HTTPS with certificate verification.

8. Business Associate Agreements

DatoBridge enters into a Business Associate Agreement ("BAA") with each covered entity and business associate customer before processing any PHI. Our BAAs address:

  • Permitted uses and disclosures of PHI, limited to those necessary to perform the services specified in the underlying service agreement.
  • Obligations to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
  • Requirements to report security incidents and breaches of unsecured PHI.
  • Obligations regarding subcontractors who may access PHI.
  • Requirements to make PHI available to satisfy individuals' rights under the HIPAA Privacy Rule.
  • Return or destruction of PHI upon termination of the agreement.
  • Compliance with the HITECH Act and applicable state healthcare privacy laws.

To request a BAA, please contact us at compliance@datobridge.com.

9. Breach Notification

In accordance with 45 CFR Part 164, Subpart D, and the HITECH Act, DatoBridge maintains comprehensive breach notification procedures:

9.1 Incident Detection and Response

  • We maintain a formal Security Incident Response Plan ("SIRP") that defines roles, responsibilities, and procedures for detecting, investigating, containing, and remediating security incidents.
  • Automated monitoring and alerting systems provide real-time detection of potential security incidents.
  • All suspected incidents are immediately escalated to the Security Officer and investigated.

9.2 Breach Notification Obligations

If DatoBridge discovers a breach of unsecured PHI, we will:

  • Notify the affected covered entity without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule.
  • Provide all information required for the covered entity to fulfill its own notification obligations, including the nature of the breach, the types of PHI involved, recommended steps for affected individuals, and the corrective actions taken.
  • Cooperate with the covered entity in investigating the breach and mitigating its effects.

9.3 Breach Risk Assessment

We follow the four-factor risk assessment specified in 45 CFR 164.402 to determine whether an impermissible use or disclosure constitutes a breach requiring notification:

  • The nature and extent of the PHI involved.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

10. Subcontractor Management

DatoBridge ensures that all subcontractors who may create, receive, maintain, or transmit PHI on our behalf are bound by appropriate agreements that include the same HIPAA obligations imposed on us:

  • We conduct due diligence on subcontractors' security practices and HIPAA compliance posture before engagement.
  • We execute Business Associate Agreements or equivalent contractual protections with all applicable subcontractors.
  • We periodically review subcontractor compliance and security certifications.
  • Our cloud infrastructure providers maintain independently audited SOC 2 Type II and HIPAA compliance certifications.

11. Patient Rights

DatoBridge supports covered entities in fulfilling their obligations under the HIPAA Privacy Rule with respect to individual rights. As a Business Associate operating under a zero PHI storage model, our support includes:

  • Right of Access: Cooperating with covered entities to provide individuals with access to their PHI upon request, to the extent such PHI is maintained by DatoBridge.
  • Right to Amendment: Assisting covered entities in amending PHI as directed.
  • Right to an Accounting of Disclosures: Maintaining records of disclosures of PHI as required and providing such records to covered entities upon request.
  • Right to Request Restrictions: Complying with restrictions on the use or disclosure of PHI as directed by covered entities.

Because DatoBridge does not persistently store PHI, individual rights requests are typically fulfilled by the covered entity using data in their own systems. We will cooperate fully with any such requests.

12. Compliance with State Healthcare Privacy Laws

In addition to federal HIPAA requirements, DatoBridge complies with applicable state healthcare privacy and data breach notification laws, including but not limited to:

  • California: California Confidentiality of Medical Information Act (CMIA), California Consumer Privacy Act (CCPA/CPRA).
  • Texas: Texas Medical Records Privacy Act, Texas Identity Theft Enforcement and Protection Act.
  • New York: New York SHIELD Act, Public Health Law Article 27-F.
  • Florida: Florida Information Protection Act of 2014.

Where state law provides greater protections than HIPAA, we comply with the more stringent requirements.

13. Ongoing Compliance Activities

DatoBridge maintains an active HIPAA compliance program that includes:

  • Annual Risk Assessments: Comprehensive reviews of administrative, physical, and technical safeguards to identify and address vulnerabilities.
  • Policy and Procedure Reviews: Periodic review and update of all HIPAA-related policies and procedures to reflect changes in regulations, technology, and business operations.
  • Workforce Training: Annual HIPAA training for all employees, with additional role-specific training for personnel with access to systems that process PHI.
  • Penetration Testing: Regular third-party penetration testing of our systems and infrastructure.
  • Vulnerability Scanning: Continuous automated vulnerability scanning with prompt remediation of identified issues.
  • Compliance Audits: Periodic internal and external audits to verify adherence to the HIPAA Rules and our own policies.
  • Regulatory Monitoring: Ongoing monitoring of changes to HIPAA regulations, HHS guidance, and enforcement trends to ensure continued compliance.

14. Security Certifications and Standards

In addition to HIPAA compliance, DatoBridge aligns with the following industry standards and frameworks:

  • SOC 2 Type II: Our operational controls are designed to meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
  • AES-256 Encryption: All sensitive data is encrypted using AES-256-GCM, the gold standard for symmetric encryption adopted by the U.S. government.
  • NIST Cybersecurity Framework: Our security program is aligned with the NIST CSF, providing a structured approach to identifying, protecting, detecting, responding to, and recovering from cybersecurity threats.

15. Reporting Concerns

If you become aware of a potential HIPAA violation, security incident, or data breach involving DatoBridge, please report it immediately:

  • Email: compliance@datobridge.com
  • Security Incidents: security@datobridge.com

We take all reports seriously and will investigate promptly. DatoBridge prohibits retaliation against any individual who reports a HIPAA concern in good faith.

16. Contact Us

For questions about our HIPAA compliance program, to request a Business Associate Agreement, or for any other compliance-related inquiries, please contact us: