PHI Management
Atticus Health governs Protected Health Information across its full lifecycle — from collection through disposal — enforcing HIPAA's Privacy and Security Rules at every stage.
PHI Lifecycle
| Stage | Description | Details |
|---|---|---|
| Collection | PHI enters the platform through patient intake, clinical encounters, and integrations | Authentication |
| Classification | All data is treated as PHI by default — full encryption, access control, and audit logging apply universally | Data Protection |
| Storage | PHI is encrypted at rest with AES-256 and isolated per organization | Encryption |
| Access | Role-based access levels enforce least-privilege across all user types | Access Levels |
| Sharing | External data exchange flows through authenticated APIs and FHIR | Third-Party Data Sharing |
| Retention | Clinical records retained 7 years minimum; retention enforced automatically | Retention Policies |
| Disposal | Verified deletion workflows with audit trail upon offboarding | Data Portability |
Minimum Necessary Standard
Atticus Health enforces HIPAA's minimum necessary rule — users and systems access only the PHI required for their specific function:
- Role-based access levels — Six distinct access levels ensure that each user type (provider, staff, patient, integration) sees only what they need
- Per-organization session binding — Every session is scoped to a single organization, preventing cross-tenant data exposure (Session Security)
- API-level scoping — REST endpoints return only data the authenticated identity is entitled to, based on role and organization context
- Background job isolation — Organization context carries through asynchronous operations, so the minimum necessary boundary holds even outside direct user requests (How Isolation Is Enforced)
Analytics & PHI
Clinical and operational data flows to a dedicated Snowflake analytics warehouse for population health trends and utilization metrics. Snowflake operates under a Business Associate Agreement, so PHI is protected throughout the analytics pipeline without requiring de-identification prior to ingestion.
PHI in Logs & Monitoring
Atticus Health self-hosts its logging and observability infrastructure, ensuring that PHI never leaves controlled environments:
- Self-hosted observability — All application logs, traces, and metrics are collected in self-hosted infrastructure — no PHI is sent to third-party log aggregation services
- Application log retention — Logs are retained for 90 days and automatically rotated (Retention Policies)
- Audit log separation — Audit logs that record PHI access are retained for 7 years in a dedicated audit database, separate from application logs
- Error reporting — Error payloads are sanitized before capture to prevent unintentional PHI exposure in diagnostic tooling
Business Associate Agreements
Atticus Health maintains BAA coverage across all relationships that involve PHI:
| Relationship | Scope | When Executed |
|---|---|---|
| Infrastructure providers | Cloud hosting, storage, and managed services that may process or store PHI | Before infrastructure provisioning |
| Customers | Covered entities that transmit PHI to the Atticus Health platform | Before PHI enters the platform |
| Integration partners | Third-party systems that exchange data through platform APIs | Before integration activation |
Patient Rights
Atticus Health provides platform-level support for HIPAA's individual rights:
| Right | Platform Support |
|---|---|
| Access | Patients view their records through the patient app; clinical data exportable via FHIR |
| Amendment | Amendment request workflow with provider review and full audit trail |
| Accounting of Disclosures | PHI access audit logs retained 7 years; per-patient disclosure reports available |
| Restrictions | Restriction flags enforceable at the record level |
| Confidential Communications | Patient-configurable communication channels (email, SMS) and preferences |
Third-Party Data Sharing
All external data exchange is controlled through platform-enforced safeguards:
- Authenticated API access — All integrations use the Server-to-Server access level with scoped credentials
- Minimum necessary scoping — Each integration's API access is limited to the data required for its function
- FHIR for clinical exchange — Clinical data sharing follows the FHIR standard for interoperability
- BAA required — No integration partner receives PHI until a Business Associate Agreement is in place
Shared Responsibility
PHI protection is a shared obligation between Atticus Health and its customers:
| Responsibility | Atticus Health (Platform) | Customer (Covered Entity) | Shared |
|---|---|---|---|
| Infrastructure security | Encryption, network isolation, access controls | — | — |
| Application security | Authentication, authorization, audit logging | — | — |
| Workforce training | Platform operations team | Customer staff HIPAA training | — |
| Access management | Platform-level role enforcement | User provisioning and role assignment | BAA defines boundary |
| Breach notification | Detection, containment, 24-hour notification | Patient and regulator communication | Coordinated response |
| Policy and procedures | Platform security policies | Covered entity policies | BAA defines boundary |
The Business Associate Agreement between Atticus Health and each customer defines the precise boundary of responsibility. Atticus Health secures the platform; customers retain their obligations as covered entities under HIPAA.