HIPAA Compliance & Security

We operate as your Business Associate under HIPAA. You stay the Covered Entity with your existing compliance infrastructure. We handle the technology layer.

Business Associate Model

We sign a BAA with your pharmacy. We sign BAAs with our cloud vendors (Twilio, Claude API). PHI is processed locally on your Mac Minis -- it never leaves your premises for routine operations. Cloud AI is only used for complex queries with anonymized context. You do not need 3-tier redundancy, a compliance officer, or physical data centers. Cloud vendors handle infrastructure compliance. We handle the AI layer.

Data Flow Architecture

Patient Call

Patient dials pharmacy
Your phone system
Your infrastructure

-->

AI Voice Agent

Speech-to-text (local)
Intent classification
Response generation

-->

On-Premises Processing

Mac Mini cluster
Encrypted storage
Local LLM inference

-->

Your PMS

Pioneer Rx / Liberty
Patient records (PHI)
Rx and insurance data

Responsibility Matrix

Requirement	Responsible Party	Implementation
Patient consent for PHI	Your Pharmacy	Notice of Privacy Practices (already displayed)
Physical security	Your Pharmacy	Existing facility security
Staff HIPAA training	Your Pharmacy	Annual training (existing requirement)
PMS data security	PMS Vendor	Pioneer Rx / Liberty already compliant
AI model data handling	Olive	Zero PHI retention, local processing, encrypted
API security	Olive	TOTP + API key auth, rate limiting, input sanitization
Audit logging	Olive	All PHI access logged, 6-year retention, append-only
Breach notification	Olive + Pharmacy	We notify you within 24hrs, you notify patients
Risk assessment	Olive	Annual security analysis documented
Encryption (at rest)	Olive	AES-256 for all PHI fields
Encryption (in transit)	Olive	TLS 1.3 on all connections
Multi-factor authentication	Olive	TOTP MFA required for all staff access

Security Controls

What we implement, mapped to HIPAA regulation references.

AC
Access Controls

45 CFR 164.312(a)(1)

Unique user IDs per staff member
Role-based access (pharmacist, tech, manager)
Multi-factor authentication (TOTP)
Auto session timeout (15 minutes)
Emergency access procedure

EN
Encryption

45 CFR 164.312(a)(2)(iv)

AES-256 at rest (all PHI fields)
TLS 1.3 in transit
Column-level encryption in database
Encrypted call recordings
KMS key management

AU
Audit Controls

45 CFR 164.312(b)

Log ALL PHI access events
Record user, action, timestamp, IP
Immutable append-only trail
6-year retention minimum
Anomaly detection (after-hours, bulk)

IC
Integrity Controls

45 CFR 164.312(c)(1)

Data validation on all inputs
Checksums on PHI records
Atomic file writes (crash-safe)
Tamper detection on audit logs
3-node backup verification

2025-2026 HIPAA Updates

Recent rule changes that affect pharmacy operations. Olive is built to comply with all of these from day one.

OK
All safeguards now mandatory -- The "addressable" vs "required" distinction has been eliminated. Every safeguard must be implemented. Our system treats all controls as mandatory.
OK
MFA required everywhere -- Multi-factor authentication is mandatory for all ePHI access. We use TOTP (time-based one-time passwords) on every login.
OK
Encryption is mandatory -- No longer optional or "addressable." AES-256 at rest, TLS 1.3 in transit. Built in, not bolted on.
OK
24-hour verification -- Business Associates must confirm safeguards are in place on request within 24 hours. Our system generates compliance reports on demand.

BAA Chain

Your Pharmacy --> Olive

Primary Business Associate Agreement

Your pharmacy = Covered Entity
Olive = Business Associate
Defines permitted PHI uses
Breach notification procedures
Termination and data return rights

Olive --> Cloud Vendors

Subcontractor BAAs

Twilio (voice + SMS) -- Enterprise BAA
Anthropic Claude API -- Enterprise BAA
BetterStack (monitoring) -- BAA available
Same protections flow down the chain

Implementation Checklist

1
Sign BAA with pharmacy -- Based on HHS template, customized for AI operations
2
Sign BAAs with cloud vendors -- Twilio, Anthropic, monitoring services
3
Complete risk assessment -- Document all PHI flows, identify risks, mitigation plan
4
Deploy encrypted infrastructure -- 3 Mac Minis with AES-256 + TLS 1.3
5
Enable audit logging -- All PHI access tracked, 6-year retention active
6
Configure MFA -- TOTP for all staff accounts, no exceptions
7
Create breach response plan -- 24-hour notification SLA documented
8
Document policies -- All policies stored, versioned, retained for 6 years

What You Do NOT Need

Your own HIPAA compliance officer. Physical data centers. 3-tier redundant cloud infrastructure. A dedicated security team. Cloud vendors handle infrastructure compliance. Your PMS vendor handles prescription data compliance. We handle the AI and automation layer. You keep doing what you already do.