Security Policies

VitaAI conducts a formal HIPAA Security Rule risk assessment annually, aligned with HHS SRA Tool guidance and the NIST Cybersecurity Framework. The assessment covers all PHI data flows: patient portal, provider EHR integration, AI transcription pipeline, and the audit subsystem.

Risk Classification

• Critical / High residual risk — remediation required within 30 days
• Medium residual risk — remediation required within 90 days
• Low residual risk — tracked and reviewed at next annual assessment
• All risks logged in the Breach Incident Management system with assigned owner and target date

Responsible Parties

• Risk Owner: CEO / Security Officer — Steven Wallace, Altnetix LLC
• Technical Lead: Lead Developer
• Review Cycle: Annual (every June) or within 30 days of a significant security incident

Current Risk Posture

As of June 2026, all identified High and Critical risks have compensating controls implemented. No unmitigated High-residual risks exist in the current assessment. Full risk register available to covered entities under NDA.

VitaAI maintains a formal incident response plan aligned with HIPAA §164.308(a)(6) and NIST SP 800-61. The plan covers identification, containment, eradication, recovery, and post-incident review.

Incident Classification

• P1 — Active PHI breach or ransomware: response within 1 hour, CEO and legal notified immediately
• P2 — Suspected PHI exposure or unauthorized access: response within 4 hours
• P3 — Security anomaly requiring investigation: response within 24 hours
• All incidents logged in the VitaAI Breach Incident Management system (BreachController API)

HIPAA Notification Timelines

• Individual notification: within 60 days of discovery of confirmed breach
• HHS OCR notification: within 60 days (≥500 individuals) or annual summary (<500)
• Media notification: within 60 days for breaches affecting >500 individuals in a state
• Covered entity notification: without unreasonable delay per BAA terms

Breach Risk Assessment

Each suspected breach is evaluated using the HIPAA four-factor test: (1) nature and extent of PHI involved, (2) unauthorized person who used/received PHI, (3) whether PHI was actually acquired or viewed, (4) extent to which risk has been mitigated. Documented per incident.

All changes to VitaAI's production platform follow a documented change management process aligned with SOC 2 CC5 (Control Activities) and CC8 (Change Management) criteria.

Change Categories

• Standard Changes: pre-approved, low-risk; deployed via CI/CD pipeline with automated test gates
• Normal Changes: require peer code review (GitHub PR approval) and security impact assessment
• Emergency Changes: require Security Officer verbal approval; documented within 24 hours post-deployment
• All deployments logged with commit hash, deployer identity, timestamp, and environment

Security Review Requirements

• Changes affecting authentication, encryption, or PHI data flows require Security Officer review
• New dependencies undergo vulnerability scan (NuGet audit / npm audit) before merge
• Database schema changes require EF Core migration with rollback plan
• HIPAA impact assessment required for changes to audit logging or PHI storage

VitaAI classifies all data according to sensitivity and applies appropriate handling, retention, and disposal controls.

Data Classifications

• PHI (Protected Health Information) — AES-256-GCM encrypted at rest; TLS 1.2+ in transit; 6-year WORM retention per HIPAA; access restricted to authorized workforce roles
• PII (Personally Identifiable Information) — Encrypted at rest; access-controlled; minimum necessary standard applied
• Confidential (Internal) — Access-controlled; not transmitted to unauthorized parties; retained per business need
• Public — No restrictions on distribution; includes this trust center content

Retention Schedule

• PHI / Audit Logs: 6 years from creation (WORM Blob Storage — immutable)
• Authentication tokens (revoked/expired): pruned automatically after natural token expiry
• Patient MFA codes (used/expired): pruned after 24 hours
• Patient refresh tokens (revoked/expired): pruned after 24 hours
• Security policies: retained for 6 years from effective date

Data Disposal

PHI data disposal follows NIST 800-88 guidelines. Azure-managed storage disposal is governed by Microsoft's certified destruction processes. Workforce endpoint disposal uses certified disk wipe or physical destruction.

All Altnetix workforce members with access to PHI or PHI systems are required to complete HIPAA security awareness training, consistent with HIPAA §164.308(a)(5).

Training Requirements

• Initial training: completed before PHI access is provisioned for any new workforce member
• Annual refresher: required within 365 days of previous training completion
• Incident-triggered training: required within 30 days of any confirmed PHI breach involving workforce error
• Training completion documented with date, attendee name, and topics covered; records retained 6 years

Training Topics

• HIPAA Privacy Rule — permitted uses and disclosures, minimum necessary standard
• HIPAA Security Rule — administrative, physical, and technical safeguard obligations
• VitaAI-specific controls — MFA usage, session management, device security, incident reporting
• Phishing awareness and social engineering recognition
• Breach reporting procedures and workforce member obligations

Sanctions

Workforce members who fail to complete required training within the mandated timeframe will have PHI system access suspended until training is completed. Violations of HIPAA policies are subject to disciplinary action up to and including termination, consistent with the workforce sanction policy.

VitaAI enforces role-based access control (RBAC) across all systems containing PHI, consistent with HIPAA §164.312(a) and SOC 2 CC6 criteria.

Access Provisioning

• All PHI access requires explicit role assignment in Azure Entra ID (Administrator or Clinician)
• Access requests require Security Officer approval before provisioning
• Least-privilege principle enforced — users receive only the access required for their role
• No shared accounts permitted; every user assigned a unique identifier

Access Termination

• Entra ID accounts disabled within 1 business hour of employment termination notification
• All active JWT tokens for the user immediately revoked via the RevokedTokens blocklist
• PHI system access confirmed removed within 24 hours; verification logged
• Termination checklist completed and archived per SOC 2 CC6.6 requirements

Privileged Access

• Azure Key Vault access via Managed Identity only — no human-held Key Vault credentials
• Database access via application connection string only — no direct SQL admin access to production
• Emergency (break-glass) access credentials stored in Key Vault; use generates high-severity audit event
• Multi-factor authentication enforced for all workforce via Azure Conditional Access

VitaAI maintains oversight of all third-party vendors and subprocessors with access to PHI, consistent with HIPAA §164.308(b) and SOC 2 CC9 criteria.

Subprocessor Requirements

• All subprocessors with PHI access must execute a Business Associate Agreement before processing begins
• Subprocessors must maintain security controls equivalent to or exceeding those in this policy set
• Annual security review of all active subprocessors with PHI access
• Subprocessor list maintained and updated within 30 days of any change

Current Key Subprocessors

• Microsoft Azure — infrastructure, database, key management, AI services (BAA executed)
• Epic Systems — EHR integration via FHIR R4 (client's existing Epic agreement governs)
• Resend — transactional email (patient notifications; no PHI transmitted)

Vendor Risk Assessment

New vendors with PHI access undergo a security assessment before onboarding. Assessment criteria include: SOC 2 Type II report or equivalent, data processing agreement terms, incident notification capabilities, and sub-processor controls. Assessments documented and retained 3 years.