Yes — We’re happy to provide a signed BAA because we take shared responsibility seriously.

Business Associate Agreements (BAAs) are available for covered entities and their business associates. Elevare ensures all data handling, storage, and transmission align with HIPAA requirements as outlined in the BAA. This includes encryption at rest/in transit, audit logging, and compliance with data retention policies.

Yes — Deployments can be tailored to organizational needs. Options include:

- Cloud Hosting: HIPAA-compliant public cloud (AWS, Azure) with regional hosting for data residency.
- Private Cloud: On-premises or private cloud deployments for full control over infrastructure and security policies.

We’ll work with your IT team to configure the environment that best fits your compliance and operational requirements.

Secrets (e.g., encryption keys, API tokens) are never stored in source control. We use:

- Secret Rotation: Automated key rotation for sensitive fields.
- Application-Level Encryption: Optional field-level encryption for PHI (Protected Health Information).
- Secure Vaults: Integration with enterprise secret management tools like HashiCorp Vault or Azure Key Vault for production environments.

Elevare includes comprehensive audit logging that captures:

- Access Events: Who accessed the system, when, and from which IP.
- Data Changes: All modifications to patient records or SBIRT Chatbot workflows.
- Authentication Logs: Successful/failure login attempts with timestamps.
- Digital Signatures: Clinician e-signatures are logged immutably for CPT 99408/99409 compliance.

These logs are stored in encrypted, tamper-proof formats and can be exported for internal audits or regulatory reviews.

Yes—Elevare provides a standard security questionnaire covering HIPAA, SOC 2, and data governance. We also accept custom questionnaires from clients or third-party auditors for compliance reviews. Our documentation includes:

- Encryption protocols (AES-256 at rest, TLS 1.3 in transit).
- Access control models (role-based, least privilege).
- Data retention/deletion policies.
- Disaster recovery and backup procedures.

Elevare has a formal incident response plan that includes:

- Detection: Real-time monitoring for unauthorized access or anomalies.
- Containment: Immediate isolation of affected systems to prevent further exposure.
- Notification: Compliance with HIPAA breach notification requirements (within 60 days).
- Remediation: Root cause analysis, patching vulnerabilities, and updating security policies.

We also offer post-breach support for regulatory reporting and patient communication.

Yes—Elevare is SOC 2 Type II and HIPAA-compliant. We also support third-party audits for:

- Compliance Certifications: ISO 27001, HITRUST.
- Penetration Testing: Annual or on-demand security assessments by certified vendors.
- Data Residency Reports: Documentation to confirm data is stored in approved geographic regions.

The SBIRT Chatbot supports seamless integration with EHR systems via:

- FHIR®-compatible APIs: Structured data export for direct ingestion into EMRs (Epic, Cerner).
- PDF Export: Clinician-ready summaries for manual import or OCR scanning.
- Custom Endpoints: We can build custom API integrations to align with your EHR’s specific requirements.

MFA is optional but highly recommended for clinician accounts. Supported methods include:

- Email/SMS Verification: One-time codes sent to registered devices.
- Authenticator Apps: Integration with Google Authenticator or Microsoft Authenticator.
- Hardware Tokens: For high-security environments.

MFA adds an extra layer of protection against unauthorized access to patient data and SBIRT workflows.

We provide:

- Onboarding Training: Walkthroughs of security features (audit logs, MFA, data retention).
- Compliance Guides: Documentation on HIPAA, SOC 2, and EHR integration best practices.
- Annual Refresher Courses: Optional training modules for clinicians and admins to stay updated on compliance changes.