Last updated: June 2, 2026. This page reflects the current state of VitaAI's security program. All technical controls described below are implemented in production code and Azure infrastructure. Process items (policies, training records, audit firm engagement) are administrative work tracked by the Altnetix security team.
HIPAA Security Rule — 45 CFR Part 164
| CFR Reference | Requirement | Status | Implementation / Notes |
|---|---|---|---|
| §164.308(a)(1) | Risk Analysis & Management | ✓ Done | HIPAA Risk Management Plan on file (June 2026). Annual review cycle. HHS SRA Tool assessment completed. |
| §164.308(a)(2) | Security Officer Assigned | ✓ Done | Steven Wallace, CEO/Founder — designated HIPAA Security Officer, Altnetix LLC. |
| §164.308(a)(3) | Workforce Security | ✓ Done | Entra ID provisioning/deprovisioning; immediate token revocation on termination; background check policy. |
| §164.308(a)(4) | Information Access Management | ✓ Done | Code-enforced RBAC (ProviderOnly / PatientOnly policies); no shared accounts; Entra ID role management. |
| §164.308(a)(5) | Security Awareness & Training | ◑ Partial | Workforce Training Policy written (June 2026). First documented training session to be completed by Aug 2026 with attendance records. |
| §164.308(a)(6) | Security Incident Procedures | ✓ Done | Incident Response Plan (June 2026). Built-in Breach Incident Management API with 60-day HHS deadline tracking. |
| §164.308(a)(7) | Contingency Plan | ◑ Partial | Azure geo-redundant backups; blue/green deployment; DR documented. Formal DR test report template & BIA document in progress (target: Q3 2026). |
| §164.308(a)(8) | Evaluation | ✓ Done | Annual self-assessment conducted; automated vulnerability scanning in CI/CD; third-party pen test scheduled for Q3 2026. |
| §164.308(b) | Business Associate Contracts | ✓ Done | Microsoft Azure BAA executed (covers SQL, Blob, Service Bus, Key Vault, App Insights, Azure OpenAI). BAA template available for covered entities. |
| §164.310(a–d) | Physical Safeguards | ✓ Done | 100% Azure-hosted — no on-premises PHI infrastructure. Azure SOC 2 / ISO 27001 certified data centers. Workforce endpoint MDM + FDE policy. |
| §164.312(a)(1) | Access Control | ✓ Done | JWT Bearer auth on all PHI endpoints; RBAC policies enforced at middleware; unique user IDs (Entra OID + internal UUID). |
| §164.312(a)(2)(iii) | Automatic Logoff | ✓ Done | 60-min JWT expiry; server-side revocation table (RevokedTokens); tokens stored in sessionStorage — cleared on tab/browser close. |
| §164.312(a)(2)(iv) | Encryption & Decryption | ✓ Done | AES-256-GCM field-level encryption on 25+ PHI strings; per-tenant DEK via Azure Key Vault RSA-4096 master key; Azure SQL TDE. |
| §164.312(b) | Audit Controls | ✓ Done | Hash-chained AuditMiddleware on every request; 6-year WORM Blob archive; PHI auto-flagging on 20+ route patterns; auth event classification. |
| §164.312(c) | Integrity Controls | ✓ Done | AES-GCM auth tag on every encrypted field; SHA-256 audit hash chain; TLS AEAD cipher suites in transit; input sanitization filter. |
| §164.312(d) | Person / Entity Authentication | ✓ Done | Entra ID MFA (Conditional Access); SAML 2.0 (signed assertions); patient JWT (HS256 + lockout + rate limiting). SmartAuth prevents cross-role token reuse. |
| §164.312(e) | Transmission Security | ✓ Done | HTTPS redirect enforced; HSTS preload (1 year + subdomains); TLS 1.2+ minimum; forward secrecy (ECDHE); WSS for WebSocket. |
| §164.316(b) | Policy Documentation | ◑ Partial | Core policies written (Risk Management, Incident Response, Change Management, Data Classification, Workforce Training — June 2026). Formal document management system with retention labels in progress (target: Q4 2026). |
| §164.400–414 | Breach Notification Rule | ✓ Done | Built-in incident module; individual + HHS + media notification deadlines tracked; dashboard flags overdue notifications; HHS submission IDs recorded. |
SOC 2 Trust Services Criteria
SOC 2 Type II requires 6–12 months of auditor observation. The clock starts when a licensed CPA firm is engaged. VitaAI's technical controls map strongly to the Trust Services Criteria; the remaining work is administrative documentation and engaging the audit firm. Target: SOC 2 Type II report by Q2 2027.
| TSC | Criteria | Status | Notes |
|---|---|---|---|
| CC6 | Logical & Physical Access Controls | ✓ Strong | RBAC, MFA, unique IDs, token revocation, session timeout, device tracking — all implemented in production. |
| CC7 | System Operations & Monitoring | ✓ Strong | Application Insights (telemetry + alerting); hash-chained audit logs; breach incident module; rate limiting and anomaly detection. |
| CC9 | Risk Mitigation | ✓ Strong | Input validation, parameterized queries, CSP, XSS prevention, HTTPS/HSTS, rate limiting, AES-256-GCM encryption — all production-active. |
| CC1 | Control Environment (Org Structure) | ◑ In Progress | Security Officer designated. Formal org chart and board oversight documentation in progress (Q3 2026). |
| CC2 | Communication & Information | ◑ In Progress | Security policies written (June 2026). Formal distribution and acknowledgment tracking needed (Q3 2026). |
| CC3 | Risk Assessment | ✓ Done | HIPAA Risk Management Plan completed June 2026; aligned to NIST CSF. Annual review cycle established. |
| CC4 | Monitoring Activities (Internal Audit) | ⬜ Planned | Formal internal control monitoring program and quarterly review cadence to be established Q3 2026. |
| CC5 | Control Activities (Change Management) | ✓ Done | SOC 2 Change Management Policy written (June 2026); GitHub PR review process; CI/CD pipeline gates in place. |
| CC8 | Vendor Management | ◑ In Progress | Microsoft Azure BAA executed. Formal vendor risk assessment register and annual review cadence to be established Q3 2026. |
| A1 | Availability | ✓ Strong | Azure SQL failover (RPO <5min, RTO <1hr); App Service blue/green; health check endpoints; Application Insights uptime alerts. |
| — | Audit Firm Engagement | ⬜ Not Started | Target: engage CPA/audit firm Q3 2026 to begin observation period. 6-month observation → Type II report target Q2 2027. |
PII & Privacy Compliance
| Framework | Requirement | Status | Notes |
|---|---|---|---|
| HIPAA Privacy Rule | Minimum Necessary Standard | ✓ Done | API scopes limit PHI returned per request; FHIR R4 queries scoped to active clinical session only. |
| HIPAA Privacy Rule | De-identification (§164.514) | ✓ Done | PHI Redaction Telemetry Initializer strips 18 Safe Harbor identifiers from all Application Insights telemetry before transmission. |
| CCPA / US State Laws | Right to Delete / Right to Know | ◑ In Progress | Data Classification & Retention Policy written (June 2026). Formal data subject request workflow and privacy policy publication in progress (target: Q3 2026). |
| All Frameworks | Privacy Policy Published | ⬜ Planned | Privacy policy drafted; legal review and publication target Q3 2026. |
| All Frameworks | Data Retention & Deletion | ✓ Done | Data Classification & Retention Policy (June 2026). Automated pruning: RevokedTokens, PatientRefreshTokens, MFA codes, AuditLogs SQL cache — all on scheduled cleanup job. |
Path to SOC 2 Type II — Target: Q2 2027
Technical Controls Implemented — Complete
AES-256-GCM encryption, immutable audit logs, MFA, RBAC, breach management, TLS/HSTS, input validation, PHI redaction, token revocation with automated pruning.
Core Policy Documentation — Complete
HIPAA Risk Management Plan, Incident Response Plan, SOC 2 Change Management Policy, Data Classification & Retention Policy, Workforce Training Policy — all written June 2026.
Administrative Process Completion — In Progress
Conduct and document first workforce HIPAA training session; complete BIA document; establish vendor risk register; implement document management with 6-year retention; complete DR test report.
Third-Party Penetration Test — Scheduled
Annual penetration test of API authentication, authorization, injection vectors, and data exposure. Findings to be remediated prior to SOC 2 audit.
SOC 2 Readiness Assessment + Audit Firm Engagement
Engage licensed CPA firm; complete readiness gap assessment; begin formal evidence collection and observation period.
SOC 2 Type II Observation Period
6-month minimum observation period during which the audit firm validates that controls operate effectively over time. Evidence collected continuously.
SOC 2 Type II Report Issued
Independent auditor issues SOC 2 Type II attestation report covering Security, Availability, and Confidentiality trust services criteria.
Questions about our compliance posture or to request copies of policies under NDA? Contact steven@altnetix.com. A signed BAA can be executed before any PHI is processed.