Our HIPAA Commitment
Tech Healthcare operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our eLabs platform is architected from the ground up to satisfy the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Every feature — from AI-powered requisition processing to encrypted lab order transmission — is designed with PHI protection as a core requirement, not an afterthought.
1 Safeguard Overview
HIPAA requires three categories of safeguards for entities handling PHI. Here is how the eLabs platform addresses each:
Administrative
Policies, training, risk assessments, and incident response procedures governing workforce access to PHI
Technical
Encryption, access controls, audit logging, and secure transmission mechanisms protecting electronic PHI
Physical
Infrastructure security, facility access controls, and workstation safeguards for systems handling PHI
2 Administrative Safeguards
Security Management Process
- Risk analysis — regular assessment of potential risks and vulnerabilities to ePHI within the eLabs platform
- Risk management — implementation of security measures sufficient to reduce risks to a reasonable level
- Sanction policy — defined consequences for workforce members who violate security policies
Workforce Security
- Role-based access — the platform enforces four distinct roles (Administrator, Lab Administrator, Lab Technician, User), each with precisely scoped permissions
- Authorization — administrators control who has access to the platform and what functions they can perform
- Termination procedures — user accounts can be deactivated immediately, revoking all access to PHI
Information Access Management
- Multi-laboratory isolation — each laboratory operates in a logically separated environment; users cannot access data from other labs
- Minimum necessary standard — users see only the data required for their role and assigned lab
- Access review — administrators can review user accounts, roles, and activity through the management interface
Security Incident Procedures
- Comprehensive error and event logging captures all system activity
- Failed login attempts are tracked with IP addresses, timestamps, and account lockout enforcement
- Administrators can review processing errors, access patterns, and system logs
- Defined procedures for identifying, responding to, and reporting security incidents
3 Technical Safeguards
Access Control
| Control |
Implementation |
Status |
| Unique User Identification |
Each user has a unique username; no shared accounts |
Active |
| Emergency Access |
Administrator accounts can manage access during emergencies |
Active |
| Automatic Logoff |
Server-side sessions with configurable timeout; inactive sessions expire automatically |
Active |
| Encryption |
TLS 1.2+ for all connections; scrypt password hashing; encrypted secure connections for lab orders |
Active |
Audit Controls
The eLabs platform maintains comprehensive audit trails including:
- Authentication events — all login attempts (successful and failed) with IP addresses and timestamps
- Order processing — complete history of every requisition processed: who uploaded it, when, what was extracted, and whether it was validated and sent
- Data modifications — logged updates to compendiums, provider directories, insurance mappings, and client lists including the user who made the change
- Administrative actions — user creation, role changes, account deactivation, lab configuration changes
- Error tracking — processing failures with detailed context for troubleshooting and quality assurance
Transmission Security
PHI is protected during transmission at every stage:
- Browser to server — all web traffic is encrypted with TLS (HTTPS)
- Server to LIS — Lab orders are transmitted via secure connections, providing end-to-end encryption
- AI processing — requisition data sent to the AI extraction engine is transmitted over encrypted channels; no PHI is retained by the AI service beyond the processing request
- Fax transmission — automated fax delivery of lab results uses secure fax protocols
Integrity Controls
- Lab order validation — every generated order is validated for required fields (patient name, facility, physician name, NPI, ordered tests) before transmission
- Duplicate detection — patient name, DOB, physician, and test overlap checks prevent duplicate order submissions
- Conversion history — complete processing records allow verification and reprocessing of any order
4 Physical Safeguards
- Cloud infrastructure — the platform is hosted on enterprise-grade cloud infrastructure with SOC 2, ISO 27001, and HIPAA-compliant data centers
- Facility security — hosting providers maintain physical access controls including biometric authentication, 24/7 surveillance, and environmental protections
- Workstation security — the web-based platform design means no PHI is stored on local workstations; all data remains server-side
5 PHI Data Flow
The following table summarizes how PHI moves through the eLabs platform and the protections at each stage:
| Stage |
Data |
Protection |
| Upload |
Requisition image/PDF |
TLS encryption, role-based access, audit log |
| AI Extraction |
Patient demographics, tests, physicians, insurance |
Encrypted API, no data retention by AI service |
| Validation |
Extracted fields displayed for user review |
Role-based access, session authentication |
| Lab order Generation |
Lab order message with all order data |
Server-side processing, field validation |
| Transmission |
Lab order file to Laboratory Information System |
Secure connections, per-lab credentials |
| History |
Processing records and metadata |
Role-scoped access, lab isolation, audit trail |
6 Business Associate Agreement
Tech Healthcare enters into Business Associate Agreements (BAAs) with all Covered Entity clients before processing PHI. Our BAA covers:
- Permitted uses and disclosures of PHI
- Required safeguards for PHI protection
- Breach notification obligations and timelines (within 60 days of discovery)
- Requirements upon termination of the relationship
- Obligations regarding subcontractors who may access PHI
To request a BAA, contact us at sherry@tech-healthcare.com.
7 Breach Notification
In the event of a breach of unsecured PHI, Tech Healthcare follows the HIPAA Breach Notification Rule:
- Investigation — prompt investigation to determine the nature and scope of the breach
- Risk assessment — evaluation of the probability that PHI was compromised
- Notification to Covered Entity — affected clients are notified without unreasonable delay and no later than 60 days from discovery
- Documentation — all breach-related activity is documented including risk assessment, notifications, and corrective actions
- Remediation — immediate corrective action to prevent recurrence
8 Minimum Necessary Standard
The eLabs platform enforces the HIPAA minimum necessary standard through:
- Role-based access that limits each user to only the functions and data required for their job
- Lab-scoped data isolation ensuring users only see PHI from their assigned laboratory
- Processing history scoped to each user's own submissions (with administrative override for supervisory roles)
- AI extraction focused solely on the clinical fields required for order processing
9 Continuous Improvement
Tech Healthcare maintains an ongoing HIPAA compliance program that includes:
- Periodic security risk assessments and vulnerability reviews
- Regular updates to policies and procedures reflecting regulatory changes
- Monitoring of industry best practices for healthcare data security
- System hardening and security patches applied promptly
- Evaluation and enhancement of AI processing safeguards
10 Contact & Reporting
HIPAA & Security Inquiries
Tech Healthcare — Privacy & Compliance
Email: sherry@tech-healthcare.com
Website: tech-healthcare.com
To request a BAA, report a potential security incident, or ask about our HIPAA compliance program, please reference "HIPAA Compliance" in the subject line. We respond to all compliance inquiries within 2 business days.