Skip to main content

HIPAA

Veridian Health Partners processes Protected Health Information (PHI) on behalf of covered entities. Veridian operates as a Business Associate when a signed BAA is in place.
HIPAA-aligned design is not HIPAA certification. Veridian Motion is not HIPAA-certified. Compliance depends on BAAs, agency hosting, and operational practices.

Technical safeguards (built today)

  • Row-level security on every table
  • Field-level PHI encryption
  • Hash-chained audit log (no PHI in payload)
  • Role-based access (pt, admin, it_admin)
  • TOTP MFA for staff (enforced per deployment)
  • Brute-force login protection

PHI in Veridian Motion

  • Patient identifiers and enrollment records
  • Body-map selections, complaint, questionnaire responses
  • Posture photos (up to four)
  • AI triage output, PT notes, approved exercise plans
  • Clinician-to-patient messages
Minimum necessary: patients see only their data; plans only after PT approval; notes only if shared.

Patient rights

HIPAA rights are exercised through the covered entity / agency. Veridian supplies data to authorized agency staff to fulfill requests.

Corrections-specific note

CJIS, FedRAMP, and state corrections IT standards are separate from HIPAA — not built into Veridian Motion. The hosting agency provides CJIS/FedRAMP/GovCloud environment, MDM kiosk lockdown, network controls, and personnel screening.

Subprocessors

PHI may be processed by subprocessors including Lovable Cloud / Supabase and server-side AI providers. List available to customers on request.

What’s next

Data handling

Collection and retention.

Security overview

Full posture.