Compliance Documentation
HIPAA Compliance
This page is designed for CIOs, compliance officers, and security teams evaluating Vizier for use with protected health information. It documents our technical, administrative, and physical safeguards in accordance with the HIPAA Security Rule (45 CFR Part 164).
Your Role: Covered Entity
As a hospital, health system, physician practice, or other healthcare provider that creates, receives, or maintains PHI, you are a Covered Entity under HIPAA. You are responsible for ensuring that vendors who handle PHI on your behalf — including analytics vendors like Vizier — have a signed Business Associate Agreement in place.
Our Role: Business Associate
Vizier operates as a Business Associate when it receives, processes, or stores PHI on behalf of a Covered Entity. A Business Associate Agreement is required before any PHI is uploaded to the platform. BAAs are included with all subscription tiers — Practice, Health System, and Enterprise — at no additional charge.
BAA Included on All Tiers
Standard BAA executed within 1 business day. Custom BAA terms available for Enterprise. Contact legal@vizier.health for custom terms.
Technical Safeguards
Encryption at Rest
All data stored in the Vizier platform — including uploaded datasets, user-generated reports, query results, and configuration data — is encrypted at rest using AES-256 encryption. Encryption keys are managed by our cloud infrastructure provider using a hardware security module (HSM).
Encryption in Transit
All data transmitted between your browser and the Vizier platform, and between Vizier's internal services, is encrypted using TLS 1.3. We do not support older TLS versions (1.0, 1.1) or unencrypted HTTP connections.
Unique User Identification
Each user account in Vizier has a unique identifier. Shared accounts and shared credentials are not permitted. User activity is tied to the individual user account in audit logs.
Automatic Session Logoff
User sessions automatically expire after a configurable period of inactivity (default: 30 minutes). Users must re-authenticate after session expiration.
Audit Logs
Vizier maintains comprehensive audit logs for all user activity involving PHI, including data uploads, query execution, report generation, data exports, and user administration actions. Audit logs are tamper-resistant and retained for a minimum of 6 years.
Access Controls
Role-based access control (RBAC) allows administrators to define what data each user can access. Dataset-level access controls allow you to restrict which users can access which data sources.
Administrative Safeguards
Designated Security Officer
Vizier has a designated HIPAA Security Officer responsible for overseeing the security program, managing risk assessments, and ensuring compliance with the HIPAA Security Rule.
Workforce Training
All Vizier employees with access to PHI or systems that process PHI receive HIPAA training at hire and annually thereafter. Training includes PHI handling procedures, breach recognition and reporting, and acceptable use policies.
Access Management
Access to PHI and systems that process PHI is granted on a minimum-necessary basis. Access reviews are conducted quarterly. Access is revoked immediately upon employee termination.
Annual Risk Assessments
Vizier conducts a formal HIPAA Security Risk Assessment (SRA) annually, in compliance with 45 CFR § 164.308(a)(1). Risk assessment results inform our risk management plan and security roadmap.
Minimum Necessary Standard
Vizier applies the HIPAA Minimum Necessary Standard when processing PHI. We access and use only the PHI required to fulfill the contracted analytics services. Customer data is not used for internal analytics, model training, or any secondary purpose.
Contingency Planning
Vizier maintains a data backup plan, disaster recovery plan, and emergency mode operation plan. Recovery time objective (RTO) is 4 hours for Enterprise customers with SLA agreements.
Physical Safeguards
Data Center Physical Security
Vizier's cloud infrastructure runs in SOC 2 Type II certified data centers. Physical access to data center facilities is restricted to authorized personnel using multi-factor authentication and is monitored by 24/7 security. Data centers maintain environmental controls and redundant power.
Workstation Use Policies
Vizier employees with access to PHI are subject to workstation use policies that require encrypted hard drives, screen lock after inactivity, and prohibition of PHI on personal devices.
Device and Media Controls
Policies govern the receipt, removal, and disposal of hardware containing PHI. Media containing PHI is sanitized or destroyed using NIST-compliant methods before disposal.
HITECH Act Compliance
The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA by extending direct liability to business associates and increasing penalties for non-compliance. Vizier complies with HITECH requirements, including the Breach Notification Rule, the prohibition on selling PHI, and the requirement to honor individual rights to access electronic PHI. As a Business Associate, Vizier is directly liable for compliance with the HIPAA Privacy and Security Rules under HITECH.
Breach Notification
In the event of a confirmed or suspected breach of unsecured PHI, Vizier will notify affected customers within 72 hours of discovery. This notification will include the nature of the breach, the categories and approximate number of individuals affected, the categories of PHI involved, steps being taken to investigate and mitigate, and steps individuals can take to protect themselves.
Covered entities are responsible for notifying HHS and, where required, affected individuals and the media, within the timeframes required by the HIPAA Breach Notification Rule. Vizier will cooperate fully in any investigation and provide all information reasonably required.
Ready to review our BAA?
Standard BAA executed within 1 business day. Custom terms available for Enterprise.