Information Security & HIPAA Compliance

At AtPost Portal by Amsler Labs LLC, we understand that healthcare professionals require the highest standards of data security and privacy. This page details our comprehensive security measures, compliance certifications, and commitment to protecting your information.

AtPost Portal by Amsler Labs LLC is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, including:

• HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E)
• HIPAA Security Rule (45 CFR Part 164, Subpart C)
• HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

Business Associate Agreements (BAA)

We have executed Business Associate Agreements with all third-party service providers that may access or process potentially sensitive data:

• Supabase (database and authentication provider) - HIPAA-compliant with executed BAA
• Cloud hosting providers - Secure infrastructure with BAA in place
• Email service providers - Transactional email with appropriate safeguards

These agreements ensure that all vendors handling data maintain HIPAA-compliant practices and security standards.

No Protected Health Information (PHI)

HIPAA-Compliant Features

• Minimum Necessary: Access controls ensure users only see data necessary for their role
• Audit Trails: Comprehensive logging of all data access and modifications
• Data Retention: 6-year minimum retention for audit logs as required by HIPAA
• Secure Authentication: Multi-factor authentication (MFA) available for all users
• Breach Notification: Documented procedures for timely notification (within 60 days)

Encryption

Authentication & Authorization

• Secure Password Storage: Passwords hashed using bcrypt with adaptive cost factor
• Multi-Factor Authentication (MFA): TOTP-based 2FA available for all users
• Session Management: Secure, encrypted session tokens with automatic expiration
• Role-Based Access Control (RBAC): Granular permissions based on user roles
• Password Requirements: Minimum 8 characters, complexity requirements enforced
• Account Lockout: Automatic lockout after repeated failed login attempts

Network Security

• Firewall Protection: Web application firewall (WAF) filtering malicious traffic
• DDoS Mitigation: Distributed denial-of-service attack protection
• Intrusion Detection: Real-time monitoring for suspicious activity
• Rate Limiting: API rate limits to prevent abuse
• IP Whitelisting: Available for enterprise customers

Vulnerability Management

• Regular security assessments and penetration testing
• Automated vulnerability scanning
• Dependency monitoring for third-party libraries
• Prompt patching of identified vulnerabilities
• Secure software development lifecycle (SDLC)

Security Policies & Procedures

We maintain comprehensive written policies covering:

• Information security management
• Data classification and handling
• Access control and user provisioning
• Incident response and breach notification
• Business continuity and disaster recovery
• Vendor management and third-party risk

Security Governance

• Privacy Officer: Designated individual responsible for HIPAA compliance
• Security Officer: Oversees technical security measures
• Risk Assessments: Regular evaluation of security risks and controls
• Policy Reviews: Annual review and updates of security policies

Employee Training

• HIPAA training for all employees with data access
• Security awareness training (phishing, social engineering)
• Role-specific security training
• Regular refresher training
• Acknowledgment and tracking of training completion

Background Checks

All employees with access to sensitive systems undergo:

• Background verification before employment
• Reference checks
• Signed confidentiality agreements
• Immediate access revocation upon termination

While we operate as a cloud-based service, our infrastructure providers maintain stringent physical security:

Data Center Security

• Facility Access: 24/7 monitored access with biometric authentication
• Video Surveillance: Continuous recording of all sensitive areas
• Security Personnel: On-site security staff at all data centers
• Visitor Logs: All visitors screened and escorted

Environmental Controls

• Climate Control: Temperature and humidity monitoring
• Fire Suppression: Advanced fire detection and suppression systems
• Power Redundancy: Uninterruptible power supply (UPS) and backup generators
• Network Redundancy: Multiple internet service providers (ISPs)

Workstation Security

• Device encryption on all company laptops
• Automatic screen lock after inactivity
• Mobile device management (MDM) policies
• Secure disposal of decommissioned equipment

Principle of Least Privilege

Access to data and systems is granted based on:

• Role-Based Access: Permissions tied to job functions
• Minimum Necessary: Users only access data required for their role
• Just-in-Time Access: Temporary elevated privileges when needed
• Regular Reviews: Quarterly access reviews and recertification

User Lifecycle Management

• Provisioning: Formal approval process for new accounts
• Modification: Changes tracked and approved by managers
• Deprovisioning: Immediate revocation upon termination or role change
• Dormant Accounts: Automatic deactivation after 90 days of inactivity

Administrative Access

• Privileged access management (PAM) for administrative accounts
• Multi-factor authentication required for all admin access
• Separate accounts for administrative vs. standard activities
• Session recording for privileged access
• Emergency break-glass procedures with full audit trails

What We Log

Comprehensive audit logs capture:

• Authentication Events: Login attempts, logout, password changes, MFA enrollment
• Data Access: Who accessed what data and when
• Data Modifications: Create, update, delete operations
• Administrative Actions: User provisioning, permission changes, configuration updates
• Security Events: Failed login attempts, suspicious activity, policy violations
• System Events: Application errors, performance issues, availability

Log Management

• Retention: Audit logs retained for 6+ years (HIPAA requirement)
• Immutability: Logs cannot be modified or deleted
• Encryption: Logs encrypted in transit and at rest
• Backup: Regular backups to geographically distributed locations
• Analysis: Automated analysis for anomaly detection

Real-Time Monitoring

• 24/7 security operations center (SOC) monitoring
• Automated alerts for suspicious activity
• Real-time threat intelligence integration
• Automated incident escalation
• Performance and availability monitoring

Incident Response Plan

We maintain a documented incident response plan with defined processes for:

• Detection: Identification of potential security incidents
• Containment: Immediate action to limit impact
• Investigation: Root cause analysis and scope determination
• Remediation: Fixes to address vulnerabilities
• Recovery: Restoration of normal operations
• Lessons Learned: Post-incident review and improvements

Breach Notification (HIPAA)

In the event of a breach affecting sensitive data:

• User Notification: Affected users notified within 60 days
• HHS Notification: Department of Health and Human Services notified if required (500+ individuals)
• Media Notification: Major media outlets notified for breaches affecting 500+ individuals in a state
• Details Provided: Nature of breach, data affected, steps taken, user actions recommended
• Credit Monitoring: Offered if financial or identification data compromised

Business Continuity

• Disaster Recovery Plan: Documented procedures for service restoration
• Regular Backups: Automated daily backups with point-in-time recovery
• Geographic Redundancy: Data replicated across multiple regions
• Recovery Time Objective (RTO): Target recovery within 4 hours
• Recovery Point Objective (RPO): Maximum 1-hour data loss
• Regular Testing: Disaster recovery drills conducted quarterly

8. Infrastructure and Service Providers

Cloud Infrastructure

Our platform is built on industry-leading cloud infrastructure:

• Supabase: HIPAA-compliant database and authentication (BAA executed)
• Vercel/AWS: Secure application hosting with global CDN
• Geographic Distribution: Services hosted across multiple availability zones
• Certifications: Our providers maintain SOC 2, ISO 27001, and HIPAA compliance

Network Architecture

• Virtual Private Cloud (VPC) isolation
• Network segmentation and microsegmentation
• Private subnets for databases
• Web application firewall (WAF) at the edge
• TLS termination at load balancers

9. Compliance and Certifications

Current Compliance

Third-Party Assessments

• Annual security assessments by independent firms
• Regular penetration testing
• Vulnerability assessments and remediation
• Compliance audits

10. Report a Security Issue

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Responsible Disclosure

When reporting security issues, please:

• Do: Report the issue privately to us first
• Do: Allow reasonable time for us to address the issue
• Do: Provide detailed information to help us reproduce
• Don't: Publicly disclose the vulnerability before we've addressed it
• Don't: Access or modify user data beyond what's necessary to demonstrate the vulnerability
• Don't: Perform actions that could harm our users or services