Compliance pack
BAA inventory, HIPAA SRA technical controls, audit-hash construction, and infrastructure topology — everything a BD legal or compliance counsel typically asks for in early diligence. Full source documents available on request.
Download the single-PDF Compliance Pack
Always-current version. Generated from the canonical source documents in our launch-prep repo at build time.
Download Compliance Pack (PDF) →BAA matrix
| Vendor | Scope | Status |
|---|---|---|
| AWS (Textract + S3 + Lightsail) | Document OCR, encrypted offsite backups, public TLS gateway | Signed 2026-05-08 |
| Google Workspace | Operator mailbox + admin email | Signed 2026-05-12 |
| Paubox | Transactional email (HIPAA Email API) | Signed 2026-05-16 |
| Stripe | Payments (PHI-free) | Conduit exception |
| Cloudflare | DNS only — proxy disabled | N/A |
Drug-agnostic recommendation hash
Every appeal-letter generation records a SHA-256 hash of the (insurer, drug class, denial reason, ICD-10, clinical evidence) tuple that drove the recommendation. The hash is constructed before any pharma-funding-source attribution is applied, so the audit trail demonstrates that appeal logic is funding-source-independent.
Operational implementation of the Personal Services Safe Harbor "fair market value, no marketing influence" requirement: the same hash for the same clinical situation, regardless of who subsidized the appeal.
What we'll provide on request
- Full HIPAA Security Risk Assessment (technical + administrative controls).
- BAA executed copies for AWS, Workspace, Paubox.
- Incident response plan (rev 3, 2026-05-09).
- Architecture diagram + key/secret rotation policy.
- Pre-launch checklist + offsite backup DR runbook.
- SOC 2 Type I scoping document (engagement targeted Q3 2026).
Contact: [email protected] · Michael John Ryan, Privacy Officer, DenialHelp, LLC.