Last updated · April 2026
HIPAA Posture

Built around HIPAA. Not retrofitted.

BAA executed before any data flows. PHI handling is segmented from non-PHI workflows at the storage layer. Audit log retained for seven years. Below is the architecture in detail.

Status · Active since founding

Our HIPAA framework

Famaash treats HIPAA as a design constraint applied at the architecture layer, not as a compliance checklist applied at audit time.

The framework runs three layers deep. At the policy layer, every team member completes annual HIPAA training before touching a covered surface. At the workflow layer, PHI never enters non-covered tools, and access requires named justification. At the storage layer, PHI is tokenized at ingress and re-hydrated only inside HIPAA-covered surfaces with encryption keys held under separate access controls.

BAA template overview

The Famaash BAA is HIPAA-compliant, ready for execution, and signed within 48 hours of NDA.

It covers permitted uses and disclosures, required safeguards, subcontractor flow-down, breach notification SLAs, and the effect of termination on PHI. Redline is welcome on commercial terms; the HIPAA-required provisions are non-negotiable by statute.

PHI handling architecture

PHI is segmented from non-PHI at the data layer, not at the application layer.

  • IngressPHI fields are tokenized at the boundary. Tokens, not values, flow through downstream processing.
  • StorageEncrypted at rest with per-tenant keys. Key access is logged and reviewed monthly.
  • InferenceAI workflows operate on tokenized data only. PHI is re-hydrated inside the covered surface for human review.
  • EgressOutbound surfaces require named purpose. Every read is logged with user, timestamp, and matter context.

Audit logging

Every read, write, and administrative action against a PHI-bearing surface is logged.

Logs are append-only, immutable after write, and retained for seven years. Queryable by client matter, by user, and by time window. Sample exports are available on request.

Incident response

Breach notification SLA is 60 days from discovery, with substantive notice provided well within that window in practice.

The incident playbook covers detection, containment, root-cause analysis, individual notification, and HHS reporting. Tabletop exercises run quarterly. Real incidents are documented in a postmortem shared with affected clients.

State privacy law overlays

HIPAA is the floor. Several state regimes apply on top.

  • CMIA (California)Stricter consent and disclosure rules for medical information. We comply when a California-resident patient is in scope.
  • SHIELD (New York)Reasonable safeguards for private information. Our HIPAA controls satisfy SHIELD by construction.
  • HB 300 (Texas)Tighter training and breach-notification standards for Texas-resident patients. Tracked per matter.

Subprocessor due diligence

Every subprocessor that touches PHI signs a BAA with Famaash before onboarding.

The subprocessor list is reviewed annually. Material changes are communicated to clients in advance. The current list is shared on request, under NDA.

Questions and contact

For HIPAA-specific questions, including BAA redline requests and subprocessor disclosures, contact the trust team.

Email trust@famaash.com. Responses are returned within one business day.

BAA Template

Sent within 48 hours of request.

Request the BAA template