Skip to main content
ScrubMetadataPrivacy First Compliance Automation Platform

HIPAA Compliance Guide

Healthcare Privacy and Security Compliance (45 CFR Part 164)

Controlled Rollout: HIPAA workflows are enabled through approved Enterprise design-partner access. Self-serve add-on billing is not active in the current launch.

What HIPAA Features Are Available?

BAA Tracking

§ 164.504(e) - Business Associate Agreement management with expiration alerts

Patient Rights

§ 164.524 - Access requests with 30-day deadline tracking

PHI Disclosure Logs

§ 164.528 - Accounting of disclosures with 6-year retention

DICOM De-identification

Remove PHI from medical imaging (X-rays, MRIs, CT scans)

Business Associate Agreements (§ 164.504(e))

A Business Associate Agreement (BAA) is a contract required by HIPAA when you share PHI with a third party.

When Do You Need a BAA?

  • Cloud storage providers (AWS, Azure, Google Cloud)
  • EHR system vendors (Epic, Cerner)
  • Payment processors handling PHI
  • Analytics vendors with access to patient data

Expiration Alert System

Automatic Alerts: The platform sends expiration warnings at:

90 days
LOW
60 days
MEDIUM
30 days
HIGH
Expired
CRITICAL

Quick Start: Add a BAA

  1. 1
    Navigate to Healthcare Dashboard
    Go to Dashboard → Healthcare → BAA Management
  2. 2
    Click "Add BAA Record"
    Enter business associate name, type, and agreement details
  3. 3
    Set expiration date
    System will automatically send renewal alerts

Patient Rights Requests (§ 164.524)

Under HIPAA, patients have the right to access their PHI. You must respond within 30 days (extendable to 60 days with written notice).

30-Day Deadline: The clock starts the day the request is received.

Request Types Supported

ACCESS_TO_RECORDS

§ 164.524

AMENDMENT

§ 164.526

ACCOUNTING_OF_DISCLOSURES

§ 164.528

RESTRICTION_REQUEST

§ 164.522

PHI Processing Logs (§ 164.528)

6-Year Retention: Under § 164.530(j), these records must be retained for 6 years.

WITHIN_RETENTION
Cannot delete
APPROACHING_END
< 1 year left
PAST_RETENTION
Can delete

DICOM Medical Imaging De-identification

Medical imaging files (DICOM format) contain embedded PHI in metadata tags. The platform detects and helps remove these identifiers.

PHI Tags Monitored (11 High-Risk Tags)

(0010,0010) - PatientNameHIGH
(0010,0020) - PatientIDHIGH
(0010,0030) - PatientBirthDateHIGH
(0008,0090) - ReferringPhysicianNameHIGH
(0032,1032) - RequestingPhysicianHIGH
(0010,21C0) - PregnancyStatusHIGH
(0010,0040) - PatientSexMEDIUM
(0010,1010) - PatientAgeMEDIUM
(0008,0080) - InstitutionNameMEDIUM
(0008,1070) - OperatorNameMEDIUM
(0010,1030) - PatientWeightLOW

Zero-Upload Architecture: DICOM files are processed client-side. Only metadata tags are sent to the API for analysis.

Safe Harbor De-identification (§ 164.514(b)(2))

The platform implements all 18 Safe Harbor identifiers required for de-identification:

1. Geographic subdivisions smaller than State
2. Names
3. All date elements (except year)
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device identifiers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs
18. Any other unique identifier

Frequently Asked Questions

What happens if I miss the 30-day patient request deadline?
This is a HIPAA violation. Penalties from $100 to $50,000 per violation, max $1.5M/year.
Can I delete PHI disclosure logs before 6 years?
No. The platform enforces the 6-year retention requirement (§ 164.530(j)).
Do I need a BAA with ScrubMetadata?
No. ScrubMetadata uses zero-knowledge architecture. Files are processed client-side.
How do I export HIPAA compliance reports?
From the Healthcare Dashboard: BAA Summary, Patient Rights Log, PHI Disclosure Report, or full HIPAA Compliance Package.

Ready to Manage HIPAA Compliance?

Access your Healthcare Compliance Dashboard to manage BAAs, patient rights requests, and PHI disclosures.

Healthcare Dashboard Compliance HubBack to Help Center