HIPAA Compliance

1. Our Commitment

Jazmine Inc. (“Jazmine”) is committed to protecting the privacy and security of Protected Health Information (“PHI”) entrusted to us by healthcare practices. As a Business Associateunder the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), we have designed our platform, infrastructure, and operations from the ground up to meet or exceed the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

This page describes the safeguards we have implemented to protect PHI. We maintain an executed Business Associate Agreement (BAA) with every healthcare practice before processing any PHI, and we maintain a BAA with our infrastructure provider, Amazon Web Services (AWS).

2. Administrative Safeguards

2.1 Security Officer

Jazmine has designated a Security Officer responsible for the development and implementation of our HIPAA security policies and procedures. The Security Officer oversees ongoing compliance monitoring, risk management, and incident response coordination. Contact: support@jazmine.app.

2.2 Workforce Training

All Jazmine employees and contractors with potential access to PHI receive comprehensive HIPAA training upon onboarding and annual refresher training thereafter. Training covers:

• HIPAA Privacy and Security Rule requirements
• PHI handling procedures and minimum necessary standards
• Incident identification and reporting obligations
• Sanctions for non-compliance

2.3 Access Management

Access to systems containing PHI is granted on a least-privilege, role-based basis. All access is reviewed quarterly, and access is promptly revoked upon termination of employment or change of role. Administrative access to production systems requires approval from the Security Officer.

2.4 Risk Assessments

Jazmine conducts comprehensive risk assessments at least annually and whenever significant changes are made to our information systems or business operations. Risk assessments evaluate threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI and inform our security program priorities.

3. Physical Safeguards

Jazmine’s infrastructure is hosted entirely on Amazon Web Services (AWS), which provides world-class physical security for its data centers:

• AWS data centers are SOC 1, SOC 2, and SOC 3 certified
• Physical access is strictly controlled with multi-factor access control mechanisms including biometric scanning
• 24/7 security personnel, video surveillance, and intrusion detection systems
• Environmental controls including fire detection and suppression, climate control, and uninterruptible power supplies
• All data resides in the US-East-1 (N. Virginia) AWS region

Jazmine does not store PHI on local workstations, removable media, or on-premises servers. All PHI is accessed through authenticated, encrypted connections to our cloud infrastructure.

4. Technical Safeguards

4.1 Encryption

All PHI is encrypted both at rest and in transit:

• At Rest: AES-256 encryption using AWS Key Management Service (KMS) with customer-managed keys. Encrypted services include Aurora PostgreSQL, Amazon S3, Amazon DynamoDB, Amazon ElastiCache for Redis, and Amazon SQS. Encryption keys are automatically rotated annually
• In Transit: TLS 1.2 or higher for all external and internal communications. HTTPS is enforced on all platform endpoints. HTTPS-only bucket policies on all S3 storage

4.2 Multi-Factor Authentication

MFA is mandatory for all platform users. Jazmine enforces MFA via Amazon Cognito using TOTP (time-based one-time password) as the preferred mechanism. MFA requirements cannot be bypassed or disabled by users or administrators. Password policy requires a minimum of 12 characters with upper, lower, numeric, and symbol requirements.

4.3 Audit Logging

Comprehensive audit logging captures all access to and actions on PHI:

• Infrastructure Level: AWS CloudTrail records all API calls across all services, with multi-region trail, management and data events, log file validation, and Insights enabled
• Application Level: All user actions involving PHI are logged in Amazon DynamoDB with point-in-time recovery. Audit events include user identity, timestamp, action type, and resource identifiers
• Retention: All audit logs are retained for a minimum of six (6) years and are encrypted with KMS
• PHI Exclusion: Log messages contain only resource identifiers and event types. PHI (patient names, phone numbers, dates of birth, procedure details, insurance IDs, and free-text patient input) is never written to log files

4.4 Session Management

Authentication tokens (ID and Access tokens) expire after one (1) hour. Refresh tokens expire after thirty (30) days. Tokens are stored in httpOnly cookies managed by server-side middleware and are never placed in browser localStorage. Session data is stored in DynamoDB with automatic TTL expiration.

4.5 Network Segmentation

Our VPC architecture enforces strict network isolation:

• Public subnets contain only the Application Load Balancer and NAT Gateways
• Application workloads (ECS Fargate tasks) run in private application subnets
• Data services (Aurora PostgreSQL, ElastiCache Redis) run in isolated private data subnets with no internet route
• Security groups enforce least-privilege network access between tiers

5. Infrastructure Security

5.1 AWS Business Associate Agreement

Jazmine maintains a signed Business Associate Agreement with Amazon Web Services. All PHI is processed exclusively within HIPAA-eligible AWS services.

5.2 VPC & Private Subnets

All infrastructure operates within a Virtual Private Cloud (VPC) with DNS resolution and hostnames enabled. Data services have no direct internet access. NAT Gateways in each availability zone provide controlled outbound access for application subnets only when required.

5.3 VPC Endpoints

All communication with AWS services (S3, DynamoDB, SQS, ECR, Secrets Manager, KMS, Amazon Bedrock, CloudWatch, SSM) is conducted via VPC interface and gateway endpoints. PHI never traverses the public internet when accessing AWS services.

5.4 Web Application Firewall (WAF)

AWS WAF v2 is deployed on all internet-facing entry points with the following protections:

• AWSManagedRulesCommonRuleSet (OWASP Top 10 protection)
• AWSManagedRulesKnownBadInputsRuleSet
• Rate limiting rules to prevent abuse (100 requests per 5 minutes on widget endpoints, 1,000 requests per 5 minutes on staff API)
• WAF access logs encrypted and stored in S3 for audit purposes

5.5 DDoS Protection

AWS Shield Standard provides automatic protection against common DDoS attack vectors at the network and transport layers. CloudFront edge distribution provides additional resilience against volumetric attacks.

6. Data Handling

6.1 PHI Processing

PHI is processed exclusively for the purposes described in our BAA and at the direction of the Covered Entity practice. Processing activities include lead management, AI-powered scoring and response generation, surgeon matching, and patient communication facilitation.

6.2 No PHI in SMS Messages

Jazmine never includes PHI in SMS messages. While Amazon Pinpoint is a HIPAA-eligible service, carrier networks are not covered under the BAA. All SMS messages contain only non-sensitive content such as appointment reminders and secure portal links. When PHI must be communicated to patients, it is delivered exclusively through the encrypted patient portal.

6.3 No PHI in Log Files

Application logs record only resource identifiers and event types. PHI including patient names, phone numbers, dates of birth, procedure details, insurance identifiers, and free-text patient input is never written to log files. All log groups are encrypted with KMS and retained for a minimum of six years.

6.4 Pre-Signed URLs for Media Access

Patient photographs, documents, and other media stored in S3 are accessible only via time-limited pre-signed URLs with a maximum validity of fifteen (15) minutes. S3 buckets have Block Public Access enabled at both the account and bucket levels. CloudFront Origin Access Control (OAC) ensures direct S3 access is blocked.

6.5 Data Retention

PHI and HIPAA-related records are retained for a minimum of six (6) years. Patient media is automatically transitioned to archival storage (S3 Glacier) after one year. Upon termination of a Practice’s subscription, data is returned or destroyed in accordance with the BAA.

7. Access Controls

7.1 Role-Based Access Control (RBAC)

The platform enforces role-based access controls with the following roles:

• Admin: Full practice management, user administration, and configuration
• Patient Coordinator (PC): Lead management, patient communication, and appointment scheduling
• Surgeon: View assigned leads, patient records, and clinical information
• Manager: Analytics, reporting, and operational oversight

Role assignments are managed by Practice administrators and enforced by the platform at both the API and UI layers.

7.2 Multi-Tenant Isolation

Jazmine uses a schema-per-tenant architecture within our database. Each request is authenticated and the tenant identifier is extracted from the cryptographically signed JWT token (not from the request body). Database connections are scoped to the tenant’s schema before any query executes. Row-level security (RLS) provides an additional isolation layer. S3 object keys are prefixed by tenant identifier.

7.3 Mandatory MFA

Multi-factor authentication is enforced for every user account without exception. There is no administrative override, no grace period, and no bypass mechanism. TOTP (authenticator app) is the preferred method.

8. Breach Notification Commitment

In the event of a Breach of Unsecured PHI, Jazmine will:

• Notify affected Covered Entity Practices without unreasonable delay and in no case later than thirty (30) calendar days after discovery
• Provide all information necessary for the Practice to fulfill its notification obligations to affected individuals and HHS
• Cooperate fully in the investigation and remediation of the Breach
• Implement corrective actions to prevent recurrence

Our incident response procedures are documented, tested, and designed to enable initial response within sixty (60) minutes of detection, in accordance with HIPAA requirements.

9. Vendor Management

Jazmine maintains BAAs with all subprocessors that handle PHI. Our current subprocessors include:

• Amazon Web Services (AWS): Infrastructure provider. HIPAA-eligible services covered under the AWS BAA include Aurora PostgreSQL, S3, DynamoDB, ElastiCache, SQS, ECS Fargate, Cognito, KMS, CloudTrail, CloudWatch, Bedrock, Pinpoint, and WAF

We evaluate all potential subprocessors for HIPAA compliance before engagement and require execution of a BAA-compliant agreement before any PHI is shared. Practices are notified within thirty (30) days of any new subprocessor engagement.

10. Certifications & Audits

10.1 SOC 2 Type II

Jazmine is pursuing SOC 2 Type II certification covering the Trust Services Criteria for Security, Availability, and Confidentiality. Certification timeline will be communicated to customers upon completion.

10.2 Penetration Testing

Jazmine conducts third-party penetration testing at least annually. Results are available to customers under NDA upon request.

10.3 AWS Compliance

Our infrastructure provider, AWS, maintains the following certifications and attestations relevant to HIPAA compliance: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, ISO 9001, CSA STAR, and FedRAMP. AWS is a signatory to the HIPAA BAA and the list of HIPAA-eligible services is published and regularly updated.

11. Patient Rights

Under HIPAA, patients have the right to access, amend, and receive an accounting of disclosures of their PHI. Because Jazmine is a Business Associate (not a Covered Entity), these rights are exercised through the healthcare practice that maintains the patient’s records.

To exercise your HIPAA rights, please contact your healthcare provider directly. Jazmine will cooperate with Practices to fulfill all patient rights requests in accordance with our BAA, including providing access to PHI within fifteen (15) business days of request.

12. AI & Data Usage

Jazmine uses artificial intelligence (powered by Amazon Bedrock) for lead scoring, response generation, and surgeon matching. Our AI data practices are as follows:

• No PHI for Model Training: PHI is never used to train, fine-tune, or improve general-purpose AI models. AI inference is conducted via Amazon Bedrock with no data retention on inference
• Private Network Access: All AI model inference traffic is routed through VPC interface endpoints and never traverses the public internet
• De-identified Analytics:Aggregate, de-identified data (which cannot be re-identified to any individual) may be used for product improvement. De-identification follows the standards in 45 CFR § 164.514
• Decision Support Only: AI outputs are decision-support tools and do not constitute medical advice, diagnosis, or treatment recommendations. Clinical decisions remain with licensed healthcare providers

13. Frequently Asked Questions

Is Jazmine HIPAA compliant?

Yes. Jazmine is designed as a HIPAA-compliant Business Associate. We execute a BAA with every healthcare practice before processing any PHI, maintain a BAA with AWS, and implement comprehensive administrative, physical, and technical safeguards as described on this page.

Does Jazmine sign a Business Associate Agreement?

Yes. A fully executed BAA is required before any PHI is processed through our platform. Our BAA template is available at jazmine.app/baa. Contact support@jazmine.app to initiate the execution process.

Where is my data stored?

All data is stored within the AWS US-East-1 (N. Virginia) region in HIPAA-eligible services. Data services (database, cache, queues) operate in private subnets with no direct internet access.

Is data encrypted?

Yes. All data is encrypted at rest using AES-256 via AWS KMS customer-managed keys and in transit using TLS 1.2 or higher. Encryption keys are automatically rotated annually.

Does Jazmine send PHI via text message?

No. Jazmine never includes PHI in SMS messages because carrier networks are not covered under the HIPAA BAA. When PHI needs to be communicated, patients are directed to the encrypted patient portal via a secure link.

Does Jazmine use my data to train AI models?

No. PHI is never used to train, fine-tune, or improve general-purpose AI models. AI inference is performed via Amazon Bedrock with no data retention. Only de-identified, aggregate data may be used for product improvement.

Can I get a copy of my data?

Patients should contact their healthcare provider to exercise HIPAA access rights. Practices can request a full data export at any time, and Jazmine provides data portability in standard machine-readable formats upon subscription termination.

What happens if there is a data breach?

Jazmine will notify affected Practices within thirty (30) days of discovering a Breach of Unsecured PHI and cooperate fully in investigation, remediation, and notification to affected individuals and HHS.

14. Contact

For questions about Jazmine’s HIPAA compliance program or to report a security concern:

• Security Officer: support@jazmine.app
• Privacy Officer: support@jazmine.app
• General Inquiries: support@jazmine.app
• Mailing Address: Jazmine Inc., [Address to be provided]

To file a HIPAA complaint with the federal government, contact the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at https://www.hhs.gov/hipaa/filing-a-complaint.