HIPAA Compliance

Last updated: April 2026

This document describes the technical controls FeatureSignals implements that map to HIPAA requirements. Organizations requiring HIPAA compliance should evaluate these controls against their specific requirements.

Business Associate Agreement (BAA)

Enterprise customers requiring HIPAA compliance must execute a BAA before processing PHI. Contact sales@featuresignals.com to request one.

Technical Safeguards (§164.312)

Requirement	Implementation
Access Control	UUID-based user IDs, JWT expiration (1h), AES-256 at rest, TLS 1.3
Audit Controls	Every action logged with actor/IP/timestamp, SHA-256 integrity hashing
Integrity	Parameterized SQL, transaction isolation, audit log integrity
Authentication	Password + MFA (TOTP), SSO (SAML/OIDC)
Transmission Security	TLS 1.3, HTTPS enforced, HSTS headers

Recommended Architecture

Do not include PHI in evaluation context — use opaque identifiers
Deploy on-premises for maximum control
Enable audit logging for HIPAA audit trail
Enforce MFA for all team members
Configure IP allowlisting to restrict management API access

Contact

For HIPAA compliance inquiries: compliance@featuresignals.com

HIPAA Compliance

Business Associate Agreement (BAA)

Technical Safeguards (§164.312)

Recommended Architecture

Contact

Next Steps