HIPAA Compliance & Security Architecture

Last Updated: February 19, 2026

At SANI AI, security is not an afterthought; it is the foundation of our "Invisible Guardian" architecture. We adhere to the strictest standards of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act to ensure that your clinical data remains secure, private, and available only to authorized personnel.

1. Business Associate Agreement (BAA)

SANI AI is fully prepared to execute a Business Associate Agreement (BAA) with all covered entities (hospitals, hospices, SNFs) prior to the deployment of any pilot or commercial hardware.

  • Shared Liability: We accept our liability and responsibility for the security of Protected Health Information (PHI) processed by our Sensor Nodes and cloud infrastructure.

  • Standardized Framework: Our BAA aligns with current Department of Health and Human Services (HHS) guidelines.

2. Technical Safeguards

  • Data Minimization: By default, raw sensor data (spatial and ambient clinical signals) is processed locally on the device.

  • Diagnostic Integrity: Raw data transmission is disabled during standard operation and can only be activated for brief, authorized diagnostic, calibration, or quality assurance intervals under strict encryption protocols.

3. Access Control & Authentication

SANI enforces strict Role-Based Access Control (RBAC) to ensure that only authorized clinicians can view patient data.

  • Multi-Factor Authentication (MFA): MFA is enforced for all administrative access to the SANI Clinical Dashboard.

  • Audit Logging: All administrative access to patient data is logged and auditable. SANI staff access is restricted to the minimum level necessary for technical support ("Least Privilege Principle") and is subject to strict internal review.

4. Physical & Environmental Security

  • Hardware Tamper Resistance: The SANI Sensor Node is housed in a physically hardened, tamper-resistant enclosure designed to prevent unauthorized internal access.

  • Encrypted Storage (Data at Rest): All local storage on the device utilizes Full Disk Encryption (FDE). In the event of device theft, the physical memory is unreadable and computationally inaccessible without the secure cryptographic keys managed by our cloud infrastructure.

  • Cloud Infrastructure: Our platform is hosted on HIPAA-compliant cloud infrastructure (e.g., AWS/GCP/Azure Healthcare Cloud) with SOC 2 Type II certification.

5. Incident Response & Breach Notification

In the unlikely event of a security incident, SANI maintains a rigorous Incident Response Plan (IRP).

  • Automated Continuous Monitoring: We utilize automated intrusion detection systems (IDS) to monitor our cloud environment for anomalous network traffic 24/7.

  • Notification Protocol: We are legally committed to notifying our partners of any breach affecting PHI within the timelines mandated by the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).

6. Contact the Security Team

For Security Questionnaires, Vendor Risk Assessments, or to request a copy of our standard BAA, please contact:

SANI AI Security Office

Chicago, Illinois

contact@saniapp.ai