Healthcare Compliance Ready

HIPAA Compliance
Resources & Downloads

Everything you need to achieve and maintain HIPAA compliance with LinkBox AI. Download policy templates, training materials, and implementation guides.

Download Quick StartView Security Overview
13
Resource Documents
12
Week Roadmap
256
Bit Encryption
BAA
Available

Built-in Technical Safeguards

45 CFR § 164.312 Compliant Technical Controls

AES-256 Encryption at RestFIPS 140-2 Validated
TLS 1.3 in TransitCertificate Pinning
Row Level Security (RLS)Supabase PostgreSQL
Multi-Factor AuthTOTP/WebAuthn
15-Min Session TimeoutAuto-Logout
Immutable Audit Logs6-Year Retention

PHI Security Classification Levels

LinkBox AI implements a 3-tier data classification system for Protected Health Information (PHI) with Row Level Security (RLS) policies enforced at the database level.

Restricted

Highest sensitivity PHI data

Data Types

SSNMedical Record NumbersHealth Insurance IDsBiometric Data

Security Controls

  • Encryption required
  • Access request workflow
  • Real-time monitoring

Confidential

Sensitive health information

Data Types

Diagnosis codesPrescription dataLab resultsTreatment plans

Security Controls

  • Role-based access
  • Audit logging
  • Data masking in logs

Internal

General healthcare data

Data Types

Appointment datesProvider namesFacility information

Security Controls

  • Authentication required
  • Standard logging
  • RLS policies

Row Level Security (RLS) Enforcement

All PHI data is protected by PostgreSQL Row Level Security policies via Supabase. Users can only access records they own or have explicit authorization for—enforced at the database layer, not just the application layer.

Access Control Levels

Role-based access control (RBAC) with 5 permission levels for PHI access

0

No Access

Completely denied

1

Read Only

View PHI without modification

2

Read/Write

Standard healthcare worker

3

Admin

Full PHI management

4

Audit

Compliance officer access

Download Resources

All 13 HIPAA compliance documents available for immediate download

Getting Started

Essential resources to begin your HIPAA compliance journey

Recommended

HIPAA Quick Start Guide

Get up and running with HIPAA compliance in minutes. Step-by-step setup guide.

5.8 KBDownload

Master Index

Complete index of all HIPAA resources, organized by category and use case.

12.1 KBDownload

FAQ

Answers to frequently asked questions about HIPAA compliance and LinkBox AI.

19.1 KBDownload

Compliance Roadmaps

Strategic planning documents for long-term compliance

Recommended

Compliance Roadmap

Complete 12-week implementation roadmap with milestones and deliverables.

31.6 KBDownload

Visual Roadmap

Visual timeline and flowcharts for compliance implementation.

19.7 KBDownload

Week 3 Summary

Detailed summary of Week 3 compliance activities and outcomes.

12.6 KBDownload

Week 3 Checklist

Actionable checklist for Week 3 implementation tasks.

8.1 KBDownload

Policies & Templates

Ready-to-use policy documents and templates

Recommended

Policy Templates

Comprehensive policy templates including Privacy, Security, and Breach Notification policies.

14.0 KBDownload

Email Templates

Pre-written email templates for BAA requests, training notifications, and incident reports.

21.1 KBDownload

BAA Tracking

Business Associate Agreement tracking spreadsheet and management guide.

10.2 KBDownload

Training & Education

Staff training materials and educational resources

Recommended

Training Materials

Complete training curriculum for workforce HIPAA education.

20.0 KBDownload

Officers Guide

Role definitions and responsibilities for Privacy and Security Officers.

8.9 KBDownload

Risk Management

Risk assessment tools and security frameworks

Recommended

Risk Assessment Guide

Comprehensive risk assessment methodology and documentation templates.

19.5 KBDownload

Need All Resources?

Download the complete HIPAA compliance package with all 13 documents

Download Master IndexRequest BAA Agreement
Defense in Depth

System-Wide Security
Measures

LinkBox AI employs a comprehensive, multi-layered security architecture to protect your data at every level—from infrastructure to application to integration.

AES-256
Encryption Standard
TLS 1.3
Transit Security
Zero
Client-Side Secrets
6-Year
Audit Retention

Infrastructure Security

Enterprise-grade cloud infrastructure with defense-in-depth architecture.

  • Google Cloud Run — SOC 2 Type II, ISO 27001 certified cloud hosting with automatic scaling and DDoS protection
  • Supabase PostgreSQL — HIPAA-eligible managed database with automatic backups and point-in-time recovery
  • Edge Functions — Server-side compute for sensitive operations, isolated per-request execution
  • Network Isolation — Private networking between services, no public database endpoints

Secrets Management

Multi-tier secrets architecture ensures credentials never reach client devices.

  • Tiered Access Control — API keys classified into Tier 1 (service-only) and Tier 2 (public IDs), enforced at the edge function level
  • Zero Client Exposure — No API secrets in iOS bundles, Android builds, or browser code. All secrets stored in Supabase Vault
  • GCP Secret Manager — Production secrets injected at deploy time via Google Cloud Secret Manager, never committed to source
  • Keychain / Secure Storage — User BYOK keys stored in platform-native secure enclaves (iOS Keychain, Android Keystore)

Data Protection

Database-level enforcement ensures data isolation is impossible to bypass.

  • Row Level Security — Every table enforces RLS policies at the PostgreSQL level. Users can only access their own data, period
  • AES-256 at Rest — All database storage encrypted with FIPS 140-2 validated modules
  • TLS 1.3 in Transit — All data encrypted in transit with certificate pinning on mobile clients
  • Immutable Audit Trails — 6-year retention of all data access, modifications, and security events

Authentication & Identity

Multi-factor authentication with enterprise identity providers.

  • MFA / 2FA — TOTP and WebAuthn support for multi-factor authentication on all accounts
  • SSO / OAuth 2.0 — Sign in with Google, Apple, or GitHub with PKCE flow protection
  • Session Management — 15-minute HIPAA-compliant timeout with automatic session invalidation
  • JWT Verification — Cryptographically signed tokens validated on every API request

Integration & OAuth Security

Secure third-party connections with scoped, revocable access.

  • Server-Side Token Exchange — OAuth client secrets never exposed to clients; all token exchanges happen server-side via service role
  • Minimum Privilege Scopes — Each integration requests only the permissions it needs (e.g., read-only calendar access)
  • CSRF Protection — State-based CSRF tokens for all OAuth flows, validated via HTTP-only cookies
  • Instant Revocation — Users can disconnect any integration at any time, immediately deleting all stored tokens

Skill & Extension Security

Every imported skill is scanned, hashed, and monitored for integrity.

  • VirusTotal Scanning — All imported skills are scanned for malware before installation
  • Content Hashing — SHA-256 integrity verification ensures skills haven't been tampered with
  • HMAC Signatures — Cryptographic content signatures for verifying skill authenticity
  • Security Event Logging — All blocked installs, integrity violations, and suspicious patterns are logged and auditable

Real-Time Monitoring

  • Continuous health monitoring of all services and infrastructure components
  • Automated alerting for anomalous access patterns and failed authentication attempts
  • Database query performance monitoring to detect potential injection attacks
  • Realtime websocket connections secured with per-session JWT validation

Cross-Platform Consistency

  • Identical security posture across iOS, Android, and Web — no platform shortcuts
  • Single centralized edge function (get-service-config) as the master secrets source for all clients
  • Local Orchestrator communications secured via A2A protocol with per-session authentication
  • Privacy-first AI processing — local inference for sensitive data, cloud only when necessary

Continuous Security Improvement

Our security measures are not static. We conduct regular penetration testing, dependency audits, and architecture reviews. Our LLM model registry is validated twice monthly, and all third-party integrations undergo periodic access scope reviews. If you have questions about our security posture, contact us at security@linkboxai.com.

Ready to Get HIPAA Compliant?

Start your free trial and experience enterprise-grade security with HIPAA-ready infrastructure from day one.

Start Free Trial View Full Security Overview