HIPAA COMPLIANCE
This document describes the administrative, technical, and physical safeguards inevid implements to comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR §164.302–318) and Privacy Rule (45 CFR §164.500–534).
Covered Entity Information
Organization: Inevid
Platform: inevid.com
Type: Precision longevity platform processing electronic Protected Health Information (ePHI) including genomic data, bloodwork, medical imaging, wearable health metrics, prescription records, and AI-generated health analyses.
Compliance Officer: Bryan Hayes, Founder
Contact: [email protected]
Technical Safeguards (§164.312)
2.1 Access Control (§164.312(a))
All protected routes require JWT-based authentication via NextAuth.js. A middleware layer enforces authentication on every dashboard page and API endpoint before any ePHI is accessible. Every database query is scoped to the authenticated user's ID, preventing cross-user data access.
Authentication
JWT tokens with 24-hour expiration, hourly refresh
Route protection
Edge middleware on all /dashboard/* and /api/* PHI endpoints
Data isolation
All database queries filtered by userId from authenticated session
Password storage
bcryptjs with cost factor 12
Admin access
Role-based (role field on User model), admin-only endpoints return 403
2.2 Audit Controls (§164.312(b))
Every access to ePHI is logged to a dedicated AuditLog table recording the user, action, resource, timestamp, IP address, and user agent. Audit logs are viewable by administrators and retained indefinitely. AWS CloudTrail independently logs all infrastructure-level API calls.
Application audit log
AuditLog table — userId, action, resource, resourceId, ipAddress, userAgent, timestamp
Actions tracked
READ, CREATE, UPDATE, DELETE, EXPORT, AI_QUERY on all PHI resources
PHI resources logged
Genomes, bloodwork, imaging, supplements, prescriptions, records, activities, wearables, profiles, Eddie AI, physician letters
Infrastructure audit
AWS CloudTrail — active since March 4, 2026, logging to encrypted S3
S3 access logging
Enabled on genome storage bucket, delivered to CloudTrail bucket
Admin dashboard
/dashboard/admin with real-time audit log viewer
2.3 Integrity Controls (§164.312(c))
Data integrity is enforced through database-level type safety (Prisma ORM), input validation, and security headers that prevent XSS, clickjacking, and content-type attacks.
ORM
Prisma — prevents SQL injection through parameterized queries
X-Frame-Options
DENY — prevents clickjacking
Content-Security-Policy
Strict CSP with frame-ancestors none
X-Content-Type-Options
nosniff — prevents MIME-type attacks
X-XSS-Protection
1; mode=block
Referrer-Policy
strict-origin-when-cross-origin
2.4 Transmission Security (§164.312(e))
All data in transit is encrypted via TLS 1.2/1.3. HSTS is enforced with a one-year max-age, preventing protocol downgrade attacks. Genome files are uploaded directly from the user's browser to encrypted S3 storage via time-limited presigned URLs — file bytes never transit through application servers.
TLS
1.2 and 1.3 enforced via Nginx + Certbot
HSTS
max-age=31536000; includeSubDomains
Cloudflare
Full Strict SSL mode
File uploads
Direct-to-S3 via presigned URLs (1-hour expiry)
Internal calls
localhost only for server-to-server (no ePHI over network)
2.5 Person or Entity Authentication (§164.312(d))
Sessions are stateless JWT tokens with a 24-hour maximum lifetime and hourly refresh cycle. Session cookies are httpOnly, secure, and sameSite=lax. OAuth integrations (Oura Ring, Fitbit) require authenticated sessions before token exchange — callback endpoints verify the user's session before storing any credentials.
Administrative Safeguards (§164.308)
3.1 Security Management (§164.308(a)(1))
Risk analysis is conducted through automated code auditing and infrastructure scanning. All API routes are reviewed for authentication, authorization, audit logging, and input validation. Security headers are enforced at the application and reverse proxy layers.
3.2 Workforce Security (§164.308(a)(3))
No inevid employee has access to user health data in production. Engineering works with synthetic test data only. The application architecture enforces this — there are no admin endpoints that expose raw user ePHI. Database access requires SSH key + RDS credentials, both restricted to the infrastructure administrator.
3.3 Information Access Management (§164.308(a)(4))
Access to ePHI is granted exclusively to the authenticated data owner. Admin users can view aggregate platform metrics (user counts, data counts) but cannot read individual health records. Role-based access control restricts admin functionality to users with the 'admin' role.
3.4 Contingency Plan (§164.308(a)(7))
Database backups
AWS RDS automated daily backups, 7-day retention
S3 versioning
Enabled — file overwrites preserved as versions for 90 days
Deletion protection
Enabled on RDS — prevents accidental database deletion
Infrastructure as code
PM2 process manager with auto-restart on failure
Recovery
Full database restore from any point in last 7 days
3.5 Business Associate Agreements
Amazon Web Services
BAA executed and on file — covers RDS, S3, EC2, KMS, CloudTrail, Bedrock
Anthropic (via AWS Bedrock)
Covered under AWS BAA — AI inference routed through HIPAA-eligible Bedrock service
Physical Safeguards (§164.310)
All ePHI is stored in AWS data centers that maintain SOC 1/2/3, ISO 27001, and FedRAMP certifications. inevid does not maintain any on-premises servers or physical storage of ePHI.
Compute
AWS EC2 (us-east-2, Ohio)
Database
AWS RDS PostgreSQL (us-east-2) — encrypted, SSL-only, deletion-protected
File storage
AWS S3 — KMS encryption, public access blocked, versioning, access logging
Key management
AWS KMS — dedicated encryption key for genome storage
DNS/CDN
Cloudflare — Full Strict SSL, DDoS protection
AI inference
AWS Bedrock (us-east-1) — HIPAA-eligible service
Encryption at Rest
Database (RDS)
AES-256 encryption enabled at storage level
Genome files (S3)
AWS KMS encryption with dedicated key (key ID: 6e849611-...)
Medical imaging (S3)
AWS KMS encryption
Bloodwork PDFs (S3)
AWS KMS encryption
S3 assets bucket
AES-256 server-side encryption
Backups
Encrypted (inherits RDS encryption)
Patient Rights (§164.524)
6.1 Right of Access
Users can export all their health data at any time via the data export endpoint (/api/user/export). The export includes account information, genomic variants, bloodwork with biomarkers, imaging with findings, supplements, prescriptions, wearable data, activities, medical records, physician letters, and health scores — delivered as a structured JSON file.
6.2 Right to Request Amendment
Users can edit all health data through the platform interface. Every data type (supplements, prescriptions, activities, records, imaging) includes edit and delete functionality.
6.3 Right to Request Deletion
Users can request account deletion via /api/user/delete. This cascade-deletes all associated ePHI from the database. S3 file cleanup follows via lifecycle policy (90-day noncurrent version expiration). Deletion events are audit-logged.
6.4 Breach Notification
In the event of a data breach affecting ePHI, inevid will notify affected users within 72 hours via email. Breaches affecting 500+ individuals will be reported to the HHS Secretary and media as required by §164.408.
AI-Specific Safeguards
The inevid AI agent ("Eddie") processes health data to provide personalized analysis. All AI calls are routed through a centralized module (src/lib/ai.ts) to ensure consistent security controls.
AI provider
Anthropic Claude via AWS Bedrock (HIPAA-eligible)
Data sent to AI
Extracted variant data, biomarker values, supplement lists — never raw genome files
PII in prompts
First name only for personalization — no email, DOB, or full name
AI memory
Conversation summaries stored in database, scoped to user, with expiration support
Centralized routing
All AI calls through src/lib/ai.ts — single point of control
Ongoing Compliance
inevid maintains compliance through continuous monitoring, automated security controls, and regular review of access patterns. The admin dashboard provides real-time visibility into platform usage, data access patterns, and audit events.
Code auditing
All API routes reviewed for auth, audit logging, input validation
CloudTrail
Continuous AWS API logging
Application audit log
Every PHI access logged with user, action, resource, IP, timestamp
Dependency updates
Automated minor version patching enabled
SOC 2 Type II
Certification in progress
ATTESTATION
I, Bryan Hayes, as the designated HIPAA Compliance Officer for Inevid, attest that the safeguards described in this document are implemented and actively maintained. This policy will be reviewed and updated at least annually, or whenever significant changes are made to the platform's architecture or data handling practices.
inevid HIPAA Compliance Policy · Version 1.0 · March 14, 2026