HIPAA Compliance

HIPAA Policy

Effective date: May 19, 2026  · Last updated: May 19, 2026

Cliny is designed from the ground up for HIPAA-covered clinics. This policy describes how we handle Protected Health Information (PHI), the safeguards we maintain, and what you need to know before using Cliny with patient data.

Encrypted everywhere
AES-256 at rest · TLS 1.2+ in transit
Audit logged
Every PHI access event recorded, 6-year retention
Role-enforced
Minimum necessary access by design

Business Associate Agreement (BAA)

Cliny acts as a Business Associate under HIPAA when processing PHI on behalf of Covered Entity clinics. A signed BAA must be in place before your clinic transmits any patient data through Cliny.

We provide a standard BAA template on request. Founding cohort clinics receive a pre-signed BAA as part of onboarding. To request your BAA:

Request BAA — support@cliny.ai

Technical Safeguards

Cliny implements the following HIPAA Technical Safeguard requirements:

Encryption at rest
All PHI stored in Supabase (PostgreSQL) is encrypted at rest using AES-256. Encryption keys are managed by the cloud provider (AWS) and rotated regularly.
Encryption in transit
All data transmitted between clients and servers uses TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
Unique user identification
Every user has a unique account. Shared accounts are not permitted. Authentication is enforced via Supabase Auth with optional multi-factor authentication.
Automatic logoff
Sessions expire after 1 hour of inactivity. Tokens are invalidated on sign-out across all devices.
Audit controls
Every read or write of PHI (chart notes, patient demographics, vitals, medications) creates an immutable audit log entry including the user ID, clinic ID, action type, resource, and IP address. Audit logs cannot be modified or deleted.
Row-Level Security (RLS)
Database-level RLS policies enforce tenant isolation. Even if the application layer has a bug, the database will reject any query that accesses data outside the authenticated clinic's scope.

Physical and Administrative Safeguards

Physical Safeguards
  • All infrastructure hosted in SOC 2-certified AWS data centers
  • No PHI stored on local devices or endpoints
  • Database backups encrypted and stored in separate availability zones
Administrative Safeguards
  • Designated Security Officer responsible for HIPAA compliance
  • Workforce access limited to minimum necessary information
  • Annual security training for all personnel with system access

Breach Notification

In the event of a breach involving PHI, Cliny will:

  • Notify affected clinic(s) within 60 days of discovering the breach, consistent with the HIPAA Breach Notification Rule
  • Provide a description of what PHI was involved, who may have accessed it, and what steps were taken to mitigate harm
  • Cooperate with the clinic in fulfilling any required notification to patients or regulators
  • Document all breach investigations and maintain records for 6 years

AI Features and PHI

Cliny uses the Anthropic Claude API to power AI Scribe and clinical summary features. When patient data is sent to Anthropic for inference:

  • Anthropic processes data under a Data Processing Agreement as our sub-processor
  • Anthropic does not use customer data submitted via API to train its models
  • Data is transmitted over TLS and not persisted beyond the API response
  • Clinics can disable AI features entirely from Settings if preferred

Minimum Necessary Access (Role-Based)

Cliny enforces HIPAA's minimum necessary standard through a strict three-role system:

AdminFull access including staff management, billing, audit log, and clinic settings. Cannot be assigned to patient-facing care roles.
ProviderAccess to clinical data: charts, vitals, medications, appointment history. Cannot access staff management or billing settings.
Front DeskDemographics and scheduling only. Cannot view chart notes, vitals, medications, allergies, or any clinical content.

Common Questions

Questions we hear from compliance officers and clinic administrators before signing up.

Questions and BAA Requests

For HIPAA-related questions, BAA requests, or to report a security concern:

Cliny
support@cliny.ai

We respond to all HIPAA and security inquiries within 1 business day.