Our Commitment to Data Security
At Oonagh AI, protecting your patients' sensitive health information is our top priority. As healthcare practitioners, you trust us with some of your most valuable data. We take this responsibility seriously and have implemented comprehensive security measures to ensure the confidentiality, integrity, and availability of all data processed by our platform.
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge. The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule establish guidelines for healthcare providers, health plans, and business associates regarding the handling of Protected Health Information (PHI).
Covered Entities and Business Associates
Under HIPAA, healthcare providers like acupuncturists and Traditional Chinese Medicine practitioners are considered "Covered Entities" when they transmit health information electronically. As your technology provider, Oonagh AI acts as a "Business Associate," which means we are legally obligated to protect any PHI we process on your behalf.
HIPAA Compliance Implementation
Privacy Rule Compliance
- Minimum necessary PHI access controls
- Patient data access mechanisms
- Disclosure tracking and accounting
- Consent verification systems
Security Rule Compliance
- Administrative safeguards
- Technical safeguards
- Physical safeguards
- Security monitoring
Audit & Accountability
- Comprehensive audit logging
- Role-based access monitoring
- Personal audit trail access
- IP-based monitoring
International Compliance & Data Residency
We are committed to keeping your data secure and local. Our infrastructure is designed to meet stringent data residency requirements across key regions, ensuring compliance with local regulations and giving you peace of mind.
🌍
UK & Europe (GDPR)
All data for our UK and European users is processed and stored exclusively within our London and Ireland data centers, in full compliance with GDPR.
🖥️
United States & Canada (HIPAA)
All PHI and user data for our US and Canadian customers is hosted within our HIPAA-compliant data centers located in the United States.
🇮🇳
India (DPDPA)
To comply with the Digital Personal Data Protection Act (DPDPA), all data for our users in India is stored and processed on servers located within India.
Business Associate Agreements
When you use Oonagh AI, you enter into a Business Associate Agreement (BAA) with us. We maintain BAAs with our key technology partners who may have access to Protected Health Information (PHI), including:
- AI Processing Partners: For secure, HIPAA-compliant clinical insights and transcription
- AWS Cloud Infrastructure: For encrypted data storage, database hosting, and authentication services
- Email Service Providers: For secure, compliant patient communications and portal invitations
These BAAs legally obligate all parties to protect PHI in accordance with HIPAA requirements and establish clear responsibilities for data handling, breach notification, and compliance.
Technical Safeguards
Encryption Implementation
Password Security:
- Scrypt encryption with 64-byte key derivation and 16-byte random salt
- Bcrypt encryption support for new accounts
- Secure password comparison using timing-safe validation
- Cryptographically secure random salt generation
Database Security:
- AWS RDS PostgreSQL with SSL-required connections
- Enterprise-grade encryption at rest via AWS
- Multi-AZ deployment with encrypted backups (30 days)
- Connection pooling with encrypted channels and timeouts
Session Security:
- Session data encryption using secure session secrets
- 24-hour session expiration with automatic cleanup
- Secure cookie management with domain/path restrictions
Access Controls
We implement strict role-based access controls (RBAC):
- Multi-factor authentication available
- 15-minute automatic session timeouts
- IP-based lockout after 5 failed login attempts
- Role-specific permissions
Comprehensive Audit Logging
Complete audit trails track all user activities:
- Real-time logging of PHI access
- Patient data access tracking
- Session activity monitoring
- Personal audit trail access
Session Security
Our platform implements HIPAA-compliant session management:
- 15-minute automatic session timeout with user warnings
- "Stay Logged In" option with 5-minute advance notification
- Real-time session monitoring
- Automatic session invalidation after inactivity
Administrative Safeguards
Security Management
- Compliance dashboard with real-time monitoring
- User management systems
- Failed login monitoring with IP-based lockout
- Country-specific compliance interface
International Compliance Framework
In addition to HIPAA, Oonagh AI implements frameworks for:
GDPR
Australian Privacy Principles
Health Information Privacy Code
DPDPA Guidelines
PIPEDA
BDSG
Your Role in Security
Maintaining security is a shared responsibility. As a user, you should:
- Use strong, unique passwords and enable multi-factor authentication
- Ensure your devices and networks are secure
- Log out of your account when not in use (or rely on automatic 15-minute timeout)
- Review your personal audit logs for any unauthorized activity
- Report any suspected security incidents immediately
- Keep your contact information up to date for security notifications
Data Migration Security
Our comprehensive data migration system ensures secure transfer:
- HIPAA-compliant file transfers with encryption
- Support for CSV, JSON, FHIR R4, and C-CDA
- Migration audit logging with complete tracking
- Progress monitoring with real-time status updates
- Validation systems to ensure data integrity
Patient Portal Security
Our secure patient portal provides HIPAA-compliant access:
- Unique secure login credentials for each patient
- Session token management with 24-hour expiry
- IP and user agent tracking
- Audit logging of all patient portal activities
- Encrypted communication
Compliance Monitoring
Our platform provides real-time compliance monitoring:
- Compliance score tracking
- Security status dashboard
- Country-specific regulatory mapping
- Automated backup verification with encryption status
Security Incident Reporting
If you suspect a security incident or have concerns, please contact us immediately:
