Our comprehensive HIPAA compliance dashboard

We document where Harper serves as a Business Associate versus a Covered Entity and maintain detailed architecture diagrams that trace every stream of ePHI across our platform.

Named leaders hold written charters that outline their responsibilities for day-to-day operations, policy oversight, and board reporting.

Our policy set spans Privacy, Security, Breach Notification, sanctions, vendor governance, BYOD, telehealth, and remote work with formal version control and annual review cycles.

We maintain a living catalog of applications, services, vendors, and data stores, each tagged with the ePHI elements it touches and supporting data flow diagrams.

Employees and customers can raise privacy or security concerns through multiple channels; every submission is tracked to closure with a strict non-retaliation stance.

We run a quarterly scorecard that covers incident trends, training completion, vendor reviews, backup verification, and risk remediation progress.

Recurring tasks such as risk analysis, tabletop exercises, policy attestations, and BAA audits are scheduled, owners assigned, and completion evidenced.

We perform an enterprise risk analysis at least annually and whenever major changes occur, cataloging threats to ePHI across infrastructure, applications, and people.

Mitigation plans are prioritized, funded, and tracked through closure with dashboards for leadership review.

Workforce disciplinary guidelines are documented, acknowledged, and enforced when privacy or security obligations are breached.

Security, privacy, and engineering leads jointly review audit logs, access reports, and incident metrics on a defined cadence.

A single accountable security official oversees the HIPAA program and reports progress to executive leadership.

We enforce least-privilege onboarding, periodic access reviews, and tightly scripted offboarding procedures for every role.

Role-based access controls, ticketed provisioning, and documented approvals govern all ePHI systems, including clearinghouse isolation when required.

Harper employees complete initial and annual HIPAA training, phishing simulations, and targeted modules for engineering and support teams.

Our incident response plan covers detection, escalation, containment, forensics, notifications, and retrospective learning with full documentation.

We maintain and test our ability to safeguard ePHI during service disruptions with documented response and recovery playbooks.

We conduct annual security and privacy program evaluations to validate safeguards and adjust to new threats or business changes.

All vendors with ePHI access execute BAAs, undergo due diligence, and maintain downstream assurances for subcontractors.

Policies, procedures, risk analyses, training records, and incident logs are retained for no less than six years.

We operate within secured facilities, enforce badge-based entry, maintain visitor logs, and define contingency operations for alternate sites.

Acceptable use requirements cover physical placement, privacy screens, and authorized functions for devices handling ePHI.

All corporate endpoints use disk encryption, auto-lock, cable locks or secure rooms, and centralized device management.

Hardware containing ePHI is tracked end-to-end and sanitized or destroyed under strict procedures before reuse or disposal.

Authentication, authorization, and session governance policies are enforced across every Harper environment.

Centralized logging with immutable storage and clock synchronization captures access to ePHI and supports forensic investigations.

Checksums, signed logs, and tamper-evident storage detect unauthorized changes to critical data.

Strong authentication—including MFA for administrators and remote access—is enforced with no shared credentials.

We prevent interception or tampering of ePHI during transmission across our services and partner integrations.

Every vendor with ePHI exposure signs a BAA detailing permitted uses, safeguards, breach notice timelines, and subcontractor flow-down clauses.

Written policies live in a centralized repository with versioning, approvals, and change management triggered by environmental shifts.

Documentation—including risk analyses, BAAs, training records, and incident reports—is retained for at least six years from last effective date.

Access and disclosures are limited to the least amount of PHI required to achieve the intended purpose.

Treatment, payment, and healthcare operations activities are documented so permitted uses do not require additional authorization.

We capture, track, and honor individual authorizations for non-TPO use cases and retain documentation of revocations.

Our NPP reflects actual practices, is delivered to users, and is posted online with revision history.

Requestors must verify identity and authority before PHI is disclosed.

Processes exist to deliver access, amendments, disclosure accountings, and confidential communication preferences within regulatory timelines.

Special rules are applied with legal review, including consideration of de-identified or limited data set options with DUAs.

Any improper use or disclosure triggers mitigation steps and corrective actions.

Privacy obligations are part of onboarding, annual refreshers, and disciplinary processes for violations.

Stricter federal and state requirements—such as 42 CFR Part 2 for SUD records—are layered into system controls as applicable.

Individuals have clear channels to submit privacy complaints and we prohibit retaliation for doing so.

Each incident undergoes a documented risk assessment addressing data sensitivity, unauthorized parties, likelihood of access, and mitigation.

We align encryption and destruction standards with HHS guidance to minimize scenarios that require notification.

When required, affected individuals are notified without unreasonable delay and no later than 60 days with all mandated content.

We report breaches affecting 500 or more individuals within 60 days and log smaller incidents for annual submission.

If an incident impacts 500+ residents in a jurisdiction, we coordinate timely media notifications.

Business Associates must notify us promptly with all relevant details so we can meet our obligations.

All assessments, decisions, notifications, and remediation steps are retained for at least six years.

Every service provider that creates, receives, maintains, or transmits ePHI is cataloged and covered by an executed BAA, including downstream obligations.

Security questionnaires, certifications (SOC 2, HITRUST), and control validations inform onboarding decisions.

Vendors receive the minimum necessary access, and analytics or telemetry tools are only enabled when contractual protections and documented need exist.

Access is terminated promptly at contract end and vendors must attest to data return or destruction.

Managed keys reside in hardened KMS/HSM services with separation of duties and rotation policies.

TLS is enforced end-to-end with deprecated ciphers disabled and private connectivity options for internal services.

MFA, least-privilege IAM roles, periodic access reviews, and break-glass accounts protect our cloud tenants.

Logs aggregate centrally with alerting for anomalous access and long-term immutable storage.

Regular patch cycles, automated scanning, and penetration tests feed our remediation backlog.

EDR, anti-malware, and full-disk encryption are enforced on all laptops with MDM for BYOD controls.

Segmentation, WAF policies, rate limiting, and DDoS protections safeguard public and internal interfaces.

Application secrets live in vaulted stores with rotation automation—never in code repositories.

Code review, dependency scanning, SAST/DAST, and infrastructure-as-code guardrails are embedded into our pipelines.

Backups are automated, encrypted, and replicated across regions with periodic restore testing.

Retention schedules, deletion workflows, and NIST 800-88 aligned sanitization cover the full data lifecycle.

Approved devices, secure Wi-Fi/VPN usage, and hardening standards support our distributed workforce.

Whenever feasible, secondary use cases rely on Safe Harbor or Expert Determination techniques to remove identifiers.

When de-identification is not practical, limited data sets are paired with executed Data Use Agreements.

Internal and external disclosures are scoped to the least amount of data required.

Every workforce member completes HIPAA and security training when hired and annually thereafter, with specialized paths for technical staff.

We run regular phishing simulations, just-in-time education, and communications that reinforce emerging risks.

Access grants, NDA attestations, equipment assignment, and device return are all tracked through checklists.

Our disciplinary policy is exercised when expectations are not met, reinforcing the seriousness of HIPAA obligations.

Roles, severity levels, forensic preservation, and communication workflows are defined and tested.

At least annually we run realistic tabletop scenarios and capture lessons learned.

Contacts with law enforcement, regulators, and communication partners are maintained with ready-to-send templates.

Security and privacy leaders review program maturity, control effectiveness, and regulatory alignment at planned intervals.

We audit policy adherence, entitlement reviews, and log monitoring to confirm controls are operating as intended.

Executives receive dashboards tracking open risks, time to patch, incident MTTR, and training completion.

Mandatory MFA, asset inventories, enhanced risk assessments, formalized incident response, vendor oversight, and network testing are already on our roadmap with owners assigned.

Policies, BAAs, data maps, risk analyses, remediation plans, training logs, access reviews, audit log reviews, incident records, breach notifications, backup and DR tests, vendor assessments, media sanitization certificates, and audit reports are retained with clear ownership.