AHD-COMP-002 — HIPAA Compliance Checklist v0.1

Status: DRAFT v0.1

Foundational Posture

• All PHI held on HIPAA-eligible infrastructure under Avina Home Detox LLC
• Communications carrying PHI channelled through encrypted clinical platform (Spruce or OhMD), not email
• Staff devices firm-issued, encrypted at rest, remotely wipeable
• Granular access controls; access revoked the moment a role ends

CMIA Compliance (California, stricter than HIPAA)

Per NEXUS regulatory research: - 30-day breach notification (vs HIPAA’s 60) - Private right of action: $1,000 statutory damages per violation - Authorisation forms must be 14-point typeface minimum, physically separated from other text

BAA List

• DrChrono Pro (EMR vendor)
• Spruce or OhMD (clinical communications)
• Mercury Bank
• Pharmacy partner(s)
• Cloudflare (hosting)
• Any 1099 nurse engaged on a case (signed at engagement)
• Any consulting clinician engaged on a case (signed at engagement)

Encryption Posture

• AES-256 at rest
• TLS 1.3 in transit
• Key management via cloud provider HSM
• Backup encryption parallel to primary

Breach Notification

• Detection within 60 days
• Investigation within 24 hours of detection
• Notification to affected individuals within 30 days for CA (CMIA) / 60 days federal (HIPAA)
• Notification to HHS via web portal
• State notifications per state law

42 CFR Part 2 (additional layer for substance use treatment records)

• Enhanced consent requirements for any disclosure outside the primary treatment team
• Re-disclosure prohibition language on any release
• Patient access at no cost
• Counsel review of every disclosure protocol

Training

• All staff complete HIPAA + 42 CFR Part 2 + CMIA training before any case access
• Annual refresher
• Documented in personnel file