HIPAA Compliance

How HIPAA applies to you

If you are a psychologist or clinical practitioner drafting reports that contain patient information, you are handling Protected Health Information (PHI). HIPAA’s Security Rule (45 CFR 164.308, 164.310, 164.312) requires you to protect that data with administrative, physical, and technical safeguards.

When you use a cloud service to store or process PHI, that cloud provider becomes a Business Associate. Per HHS guidance on cloud computing, this is true even if the provider cannot view the data because it is encrypted. You must sign a Business Associate Agreement (BAA) before placing PHI on the service.

With Claria, AWS is your only Business Associate. The Claria app runs on your computer and connects directly to your AWS account. Claria’s developers never see your data, credentials, or usage. The BAA is between you and AWS.

What Claria configures for you

When you run the setup wizard, Claria’s provisioner automatically creates and hardens the following AWS resources in your account. The dashboard continuously monitors these settings and alerts you if anything drifts from the desired state.

Identity & access management

Creates a dedicated claria-admin IAM user with least-privilege permissions
S3 actions are resource-scoped to your specific data bucket — no wildcard access
Continuously verifies the IAM policy matches expected permissions (drift detection)

§164.308(a)(3)(i), §164.308(a)(4)(i)

Encrypted storage (S3)

Creates a private S3 bucket for all client records, documents, and chat history
Encryption at rest: AES-256 server-side encryption enabled on the bucket
Versioning: S3 versioning protects against accidental deletion
Public access block: All four flags set — data can never be made publicly accessible
Bucket policy: Only allows CloudTrail write access, scoped by account ID

§164.312(a)(2)(iv), §164.308(a)(1)(ii)(B)

Audit logging (CloudTrail)

Creates a CloudTrail trail that records all API activity in your account
Logs are stored encrypted in the data bucket under _cloudtrail/
Dashboard monitors trail logging status

§164.312(b), §164.308(a)(3)(ii)(A)

BAA agreement

Checks whether the AWS Business Associate Agreement has been accepted
Surfaces BAA status as a precondition on the dashboard
Guides you to accept it if missing — this is a one-time step in the AWS Console

§164.308(b)(1)

AI model access (Bedrock)

Enables Claude models via AWS Bedrock — a HIPAA-eligible service covered by the AWS BAA
Bedrock does not use your data for model training — prompts and completions are not stored after the request completes
Only files attached to a specific client are sent to the model (minimum necessary principle)

§164.308(b)(1), §164.502(b)

Audio transcription (Transcribe)

Amazon Transcribe is a HIPAA-eligible service covered by the AWS BAA
Audio stays in the encrypted bucket; temporary artifacts are cleaned up after transcription

Encryption in transit

All communication with AWS uses TLS — S3, Bedrock, and Transcribe endpoints are HTTPS-only
The desktop app communicates with AWS exclusively over encrypted connections

§164.312(e)(1)

HIPAA requirements and Claria’s controls

The table below maps specific HIPAA Security Rule requirements to the technical controls Claria provisions in your AWS account.

Requirement	CFR citation	Claria’s control
Encryption at rest	§164.312(a)(2)(iv)	S3 bucket with AES-256 server-side encryption enforced
Encryption in transit	§164.312(e)(1)	All AWS API calls use TLS; all endpoints are HTTPS-only
Access controls	§164.312(a)(1)	Dedicated IAM user with least-privilege policy, resource-scoped to data bucket
Audit controls	§164.312(b)	CloudTrail records every API call with encrypted log storage
Integrity controls	§164.312(c)(1)	S3 versioning — objects cannot be silently overwritten or deleted
Risk management	§164.308(a)(1)(ii)(B)	Dashboard scans all infrastructure resources and reports configuration drift
No public exposure	§164.308(a)(3)(i)	S3 public access block (all four flags) prevents accidental public access
BAA with cloud provider	§164.308(b)(1)	Claria checks for active AWS BAA and blocks provisioning until acknowledged
AI provider compliance	§164.308(b)(1)	Bedrock is HIPAA-eligible under the AWS BAA; no data retention or training
Minimum necessary	§164.502(b)	Only files attached to a specific client are sent to the model
Data residency	§164.312(a)(1)	All data in your own AWS account in your chosen region; Claria developers have zero access

AWS Config HIPAA rules addressed

From the AWS Config HIPAA Security conformance pack, Claria directly addresses:

AWS Config Rule	What Claria does
`s3-bucket-server-side-encryption-enabled`	Enforces AES-256 encryption on the data bucket
`s3-bucket-versioning-enabled`	Enables versioning for integrity and recovery
`s3-bucket-public-read-prohibited`	All four public access block flags set
`s3-bucket-public-write-prohibited`	All four public access block flags set
`cloudtrail-enabled`	Creates and enables a CloudTrail trail
`iam-policy-no-statements-with-admin-access`	IAM policy is scoped; no `Action: ` + `Resource: `
`iam-policy-no-statements-with-full-access`	Each IAM statement is scoped to specific actions
`iam-root-access-key-check`	Setup wizard guides away from root credentials

Your responsibilities as a covered entity

Claria automates the technical configuration of your AWS resources. But HIPAA compliance extends beyond infrastructure. Per HHS guidance, the covered entity retains ultimate responsibility even when using a cloud provider.

Administrative safeguards

Risk analysis — conduct your own assessment of using Claria, even though the app automates technical setup
Policies and procedures — written HIPAA policies for your practice
Workforce training — staff must understand HIPAA obligations and how to use Claria securely
Breach notification — you must notify affected individuals and HHS in the event of a breach

Physical safeguards

Device security — physical security of the computer running Claria
Disk encryption — enable FileVault (macOS) or BitLocker (Windows)
Device disposal — secure wipe procedures for retired equipment

Technical safeguards

Network security — secure Wi-Fi, VPN, and firewall at your clinic
OS updates — keep your workstation patched
AWS account security — enable MFA, use strong passwords
Sign the BAA — Claria checks and prompts, but you must accept it in the AWS Console

Organizational requirements

Records retention — HIPAA requires 6-year retention beyond S3 versioning
Compliance documentation — keep notes on risk assessments, policy decisions, and remediation
Clinical content — you own the accuracy and clinical judgment of all reports

The self-hosted compliance model

Claria is designed so that you own all the infrastructure. This is both a feature and a responsibility.

The feature: No third-party SaaS vendor has access to patient data. There is no vendor lock-in, no data escrow, no subscription that could lapse and lock out access to records. Your AWS account is always yours. Claria collects no telemetry and the developers never see any user data.

The responsibility: In a traditional SaaS arrangement, the vendor takes on compliance responsibility as a Business Associate. With Claria, you are both the Covered Entity and the operator of the infrastructure. This means:

You are responsible for auditing your own AWS account
Misconfiguration resulting from Claria’s use is your responsibility
The Claria authors are not a Business Associate and accept no liability for HIPAA compliance
You must keep documentation of your compliance process
AWS is the only Business Associate in this arrangement

How Claria mitigates these risks

Automated provisioning eliminates most manual configuration errors
Drift detection catches configuration changes and surfaces them immediately on the dashboard
Single-pane dashboard gives you a complete view of all compliance-relevant infrastructure state
Open source means you (or your IT consultant) can audit exactly what Claria does

Getting started

The first step toward HIPAA-compliant AI is signing the AWS Business Associate Agreement. This is a free, one-time step in the AWS Console.

Sign the AWS BAA

AWS offers a Business Associate Agreement at no extra cost. Once enrolled, the services Claria uses — S3, Bedrock, Transcribe, and CloudTrail — become HIPAA-eligible. No special pricing tier, no enterprise sales call.

Enroll in the AWS BAA →

After signing the BAA, download Claria and the setup wizard will walk you through the rest — creating your IAM user, configuring encryption, enabling audit logging, and setting up AI model access.

How HIPAA applies to you

What Claria configures for you

Identity & access management

Encrypted storage (S3)

Audit logging (CloudTrail)

BAA agreement

AI model access (Bedrock)

Audio transcription (Transcribe)

Encryption in transit

HIPAA requirements and Claria’s controls

AWS Config HIPAA rules addressed

Your responsibilities as a covered entity

Administrative safeguards

Physical safeguards

Technical safeguards

Organizational requirements

The self-hosted compliance model

How Claria mitigates these risks

Getting started

Sign the AWS BAA

Sources