HIPAA Compliance at Fornex Health
Every system we build. Every integration we deploy. Every line of code we write - designed with HIPAA compliance at its core, not as an afterthought.
Get Our Compliance OverviewOur Commitment
We Don't Just Build Healthcare Software. We Build It the Right Way.
HIPAA is not a checkbox for us. It is the foundation of how we operate.
Fornex Health is a SOC 2 Type II certified healthcare technology company. We work exclusively with healthcare organizations - hospitals, clinics, telehealth providers, healthtech startups - and every engagement we take on begins and ends with one non-negotiable requirement: your patients' data is protected.
From the architecture decisions we make on day one, to the infrastructure we deploy, to the Business Associate Agreements we sign before a single line of code is written - compliance is built in, not bolted on.
Business Associate Agreements
We Sign a BAA. Every Time. Before Work Begins.
Under HIPAA, any vendor that handles Protected Health Information (PHI) on behalf of a covered entity is classified as a Business Associate. That means a signed Business Associate Agreement (BAA) is legally required before any PHI-related work begins.
At Fornex Health, we sign a BAA with every healthcare client - no exceptions. The agreement clearly defines:
- How PHI will be used and protected throughout the engagement
- The security obligations of both parties
- Breach notification procedures and timelines
- Data handling, retention, and destruction protocols
- Subcontractor compliance requirements
If a technology vendor is unwilling or hesitant to sign a BAA, that is a serious red flag. We are never hesitant.
Certifications & Standards
Independently Verified. Continuously Maintained.
Our compliance posture is not self-reported. It is independently audited, certified, and maintained across every layer of our operations.
HIPAA Certified
Health Insurance Portability and Accountability Act
We adhere to all applicable HIPAA rules - the Privacy Rule, the Security Rule, and the Breach Notification Rule. Our internal policies, staff training, and technical safeguards are aligned to HIPAA standards and reviewed regularly.
SOC 2 Type II Certified
System and Organization Controls - Independently Audited
SOC 2 Type II is one of the most rigorous independent security audits available. Unlike a one-time snapshot, Type II certification validates that our security controls have been operating effectively over an extended period. This means you are not just trusting our word - you are trusting the findings of an independent third-party auditor.
PHI Secure
Protected Health Information - Handled Per Federal Standards
All Protected Health Information processed, stored, or transmitted through our systems is handled in strict accordance with federal PHI security standards. Access controls, encryption, and audit logging are applied at every level.
AWS HIPAA-Eligible Architecture
Amazon Web Services - HIPAA-Eligible Cloud Infrastructure
Our cloud infrastructure runs on AWS HIPAA-eligible services. We sign an AWS Business Associate Addendum and architect every healthcare deployment within AWS's HIPAA-eligible service boundaries - including EC2, RDS, S3, Lambda, and CloudWatch for audit logging.
Google Cloud Healthcare API
HIPAA-Eligible Google Cloud Services
Where applicable, we deploy on Google Cloud's HIPAA-eligible services, including the Google Cloud Healthcare API, which is purpose-built for storing, processing, and accessing healthcare data in a compliant manner.
FDA Software Guidelines
Applicable Medical Device Software Compliance
For solutions that fall under FDA oversight as Software as a Medical Device (SaMD), we apply the applicable FDA guidelines throughout the development lifecycle - including design controls, risk management, and validation protocols.
Technical Safeguards
How We Protect PHI at Every Layer
HIPAA's Security Rule requires covered entities and business associates to implement technical safeguards to protect electronic PHI (ePHI). Here is how we do it.
Encryption
All ePHI is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. This applies to databases, file storage, API communications, and backup systems.
Access Controls
Role-based access control (RBAC) ensures that only authorized personnel can access PHI - and only to the extent necessary for their function. Least-privilege principles are enforced across all systems.
Audit Logging
Every access, modification, and transmission of PHI is logged with timestamps, user identifiers, and action types. Audit logs are tamper-resistant and retained per HIPAA requirements to support breach investigation and compliance audits.
Automatic Session Timeouts
All systems handling PHI implement automatic session timeouts to prevent unauthorized access from unattended workstations or devices.
Multi-Factor Authentication (MFA)
MFA is enforced for all administrative access to systems that process or store PHI.
Secure API Architecture
All integrations with EHR systems (Epic, Cerner, Athenahealth, eClinicalWorks, and others) are built using FHIR R4 and HL7 standards over secure, authenticated API connections. No PHI is transmitted over unsecured channels.
Vulnerability Management
Our systems undergo regular vulnerability scanning and penetration testing. Critical vulnerabilities are remediated within defined SLAs. Security patches are applied promptly across all environments.
Data Backup & Disaster Recovery
PHI is backed up regularly and stored in encrypted, geographically redundant environments. Disaster recovery plans are tested periodically to ensure data availability and integrity.
Administrative Safeguards
Compliance Is an Organizational Discipline, Not Just a Technical One
Technical controls alone do not make a company HIPAA-compliant. HIPAA requires robust administrative safeguards - the policies, procedures, and training that govern how people handle PHI.
At Fornex Health:
All team members with access to PHI or PHI-handling systems complete HIPAA training before onboarding and annually thereafter
We maintain a designated HIPAA Privacy Officer and Security Officer responsible for overseeing compliance
Our internal HIPAA policies are documented, reviewed, and updated regularly
We conduct periodic risk assessments to identify and address potential vulnerabilities
Subcontractors and third-party service providers who may handle PHI are required to sign appropriate agreements and meet our security standards
We maintain a documented Incident Response Plan, including breach detection, containment, notification procedures, and post-incident review
Breach Notification
If Something Goes Wrong, We Tell You. Fast.
HIPAA's Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, in the event of a breach of unsecured PHI.
Our obligations as your Business Associate:
We will notify you of a discovered breach involving your PHI within 72 hours of discovery - often faster
Our notification will include the nature of the breach, the PHI involved, steps we have taken to contain it, and recommended actions for you to take
We maintain a documented breach response process tested through regular internal drills
We cooperate fully with any regulatory investigation or client-initiated audit following a breach
We take breach notification seriously because transparency is what allows the healthcare system to recover quickly and protect patients.
Interoperability Standards
Built on the Standards Healthcare Runs On
HIPAA compliance in 2026 cannot be separated from interoperability. CMS and ONC regulations now require healthcare organizations to exchange data using standardized APIs - and our platforms are built for exactly that.
FHIR R4
We build all new integrations using HL7 FHIR R4 - the current gold standard for healthcare data exchange. FHIR R4 enables secure, structured sharing of patient data across EHR platforms, payer systems, and patient-facing applications.
HL7 v2 & v3
For healthcare organizations still operating on legacy HL7 v2 or v3 messaging standards, we build compliant integrations that bridge existing systems without requiring a rip-and-replace.
SMART on FHIR
For applications requiring delegated authorization - such as patient portals and third-party apps - we implement SMART on FHIR, which provides a secure OAuth 2.0-based authorization layer on top of FHIR APIs.
CDA / C-CDA
We support Clinical Document Architecture (CDA) and Consolidated CDA (C-CDA) for structured clinical document exchange, including continuity of care documents, discharge summaries, and referral notes.
ONC & CMS Compliance
Our EHR integration and data exchange work is aligned with ONC's information blocking rules and CMS interoperability mandates, including the upcoming FHIR Prior Auth API requirements effective January 1, 2027.
Who We Serve
Built for Every Type of Healthcare Organization
Our HIPAA compliance framework is designed to scale - from early-stage healthtech startups building their first MVP to enterprise health systems managing millions of patient records.
Hospitals & Large Health Systems
Enterprise EHR integrations, RCM platforms, and clinical workflow systems built on HIPAA-eligible cloud infrastructure
Private Clinics & Multi-Specialty Practices
Patient portals, billing systems, and scheduling tools with role-based access and PHI encryption
Telehealth Providers
Video consultation platforms, remote monitoring integrations, and HIPAA-compliant patient communication tools
Healthcare Startups
MVP platforms built compliance-first from day one, with investor-ready documentation and BAA support
Medical Billing Companies
Claims processing automation, denial management workflows, and RCM tools built on secure, audited infrastructure
Digital Health Platforms & SaaS Providers
API-first platforms designed for FHIR interoperability, PHI security, and scalable compliance as you grow
Common Compliance Questions
Frequently Asked Questions About Our HIPAA Practices
Do you sign a Business Associate Agreement (BAA)?
Yes - always, and always before any PHI-related work begins. Our BAA clearly defines the rights and obligations of both parties under HIPAA. We can provide a draft BAA for your legal team's review during our initial discovery conversation.
Are you SOC 2 Type II certified?
Yes. Fornex Health's parent company, Creative Buffer Consultancy Private Limited, holds SOC 2 Type II certification - independently audited by a third party. This certification validates that our security controls are not just documented but have been operating effectively over time.
What cloud infrastructure do you use for healthcare projects?
We build on AWS HIPAA-eligible infrastructure as our primary platform, with Google Cloud Healthcare API used where applicable. All deployments within these environments are governed by signed Business Associate Addendums (BAAs) with AWS and Google.
How do you handle a data breach?
We notify you within 72 hours of discovering any breach involving your PHI. Our incident response plan covers detection, containment, notification, remediation, and post-incident review. We cooperate fully with any regulatory investigation.
Can you help us pass a HIPAA audit?
Yes. We provide technical documentation, architecture diagrams, security control evidence, and audit trail exports that support your organization's HIPAA audit processes. Our team has experience supporting clients through OCR inquiries and third-party compliance audits.
Do you work with healthcare startups that don't yet have a compliance team?
Absolutely. We regularly help startups build HIPAA-compliant platforms from the ground up - including helping founders understand their compliance obligations, setting up the right infrastructure, and producing the technical documentation investors and enterprise clients expect to see.
What happens to PHI when a project ends?
Our BAA specifies PHI destruction and return procedures at project end. Data is securely destroyed using methods that meet HIPAA's media disposal requirements, and we provide written confirmation upon completion.
Ready to Build Something Compliant?
Every project starts with a conversation. Tell us what you are building and we will walk you through exactly how we approach compliance for your specific use case - no sales pitch, just clarity.
This page describes Fornex Health's compliance practices and commitments. It does not constitute legal advice. Healthcare organizations should consult their own legal counsel regarding their specific HIPAA obligations. Last reviewed: May 2026.