HIPAA
Veridian Health Partners processes Protected Health Information (PHI) on behalf of covered entities. Veridian operates as a Business Associate when a signed BAA is in place.Technical safeguards (built today)
- Row-level security on every table
- Field-level PHI encryption
- Hash-chained audit log (no PHI in payload)
- Role-based access (
pt,admin,it_admin) - TOTP MFA for staff (enforced per deployment)
- Brute-force login protection
PHI in Veridian Motion
- Patient identifiers and enrollment records
- Body-map selections, complaint, questionnaire responses
- Posture photos (up to four)
- AI triage output, PT notes, approved exercise plans
- Clinician-to-patient messages
Patient rights
HIPAA rights are exercised through the covered entity / agency. Veridian supplies data to authorized agency staff to fulfill requests.Corrections-specific note
CJIS, FedRAMP, and state corrections IT standards are separate from HIPAA — not built into Veridian Motion. The hosting agency provides CJIS/FedRAMP/GovCloud environment, MDM kiosk lockdown, network controls, and personnel screening.Subprocessors
PHI may be processed by subprocessors including Lovable Cloud / Supabase and server-side AI providers. List available to customers on request.What’s next
Data handling
Collection and retention.
Security overview
Full posture.
