FRAMEWORK · HIPAA

HIPAA Security Rule.
For US healthcare entities.

Health Insurance Portability and Accountability Act. Applies to US hospitals, clinics, medical insurers and their business associates (including European providers handling US patients' PHI). Itamite covers technical safeguards of 45 CFR §164.312.

See pricing HIPAA demo

Who is subject to HIPAA?

Covered entities: hospitals, clinics, individual physicians, medical insurers, health plans, healthcare clearinghouses. Business associates: any provider that handles, stores or transmits electronic PHI (Protected Health Information) on behalf of a covered entity. Includes: ICT providers, consultancies, hosting, cloud services, translation, medical transcription, telemedicine, RCM.

Fines: $100-50,000 per violation, max $1.5M/year per category. Criminal penalties: up to 10 years prison for intentional violations. Loss of contracts with covered entities = bankruptcy of business associate.

TECHNICAL SAFEGUARDS — §164.312

What Itamite covers from Security Rule

§164.312(a) — Access Control

Unique user identification (a)(2)(i), emergency procedure (a)(2)(ii), automatic logoff/screen lock (a)(2)(iii), encryption decryption of PHI at rest (a)(2)(iv) — Itamite verifies BitLocker/FileVault on devices with PHI.

§164.312(b) — Audit Controls

"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI." → Itamite's immutable hash-chain audit fulfills this requirement on endpoints. Logs preserved with demonstrable integrity.

§164.312(c) — Integrity

"Protect ePHI from improper alteration or destruction." → Itamite detects unauthorized changes in critical configuration. SHA-256 hash of each heartbeat allows integrity verification of reported data.

§164.312(d) — Person/Entity Authentication

Verification that whoever accesses is who they say they are. Itamite supports SSO/SAML, mandatory MFA for administrators, integration with Active Directory and identity providers.

§164.312(e) — Transmission Security

In-transit encryption of ePHI. Itamite uses TLS 1.3 for all agent-server and client-server communications. Optional mutual TLS for agent connections.

Remote sessions and screen sharing

E2E encryption with ephemeral Diffie-Hellman (not even Itrion sees content). Optional recording with SHA-256. Immutable audit of every intervention. Critical when technicians access devices with PHI.

FAQ

HIPAA questions

Does Itrion sign BAA (Business Associate Agreement)?
Yes, for Enterprise customers with HIPAA use cases. The standard Itrion BAA covers Security Rule obligations. For customers with specific requirements: negotiable BAA. Typical review timeframe: 1-2 weeks.
Is Itamite HIPAA-eligible?
The platform technically complies with Security Rule safeguards. For formal use with PHI you need to sign BAA with Itrion + activate HIPAA-ready configuration on your tenant (mandatory BYOK, 6-year audit retention, US datacenter if required by contract).
Do I need US hosting?
HIPAA does not require physical US hosting, but some covered entities require it contractually. Itamite offers US hosting (AWS Virginia or Azure US East) for cases where required. Additional cost: 25% over standard rate.
And if my entity has US and EU patients?
Double HIPAA + GDPR compliance. Itamite covers both: HIPAA BAA + GDPR DPA + SCC + datacenter in appropriate region. Activatable per tenant; you don't need separate tenants.

Healthcare sector with US PHI

Enterprise demo with prepared BAA and HIPAA-ready configuration.

See pricing Request BAA