Wocha Docs

HIPAA Compliance Guide

How to enable and configure HIPAA compliance for healthcare workloads on Wocha Cloud.

Wocha Cloud supports HIPAA compliance through a per-tenant opt-in mode that automatically enforces technical safeguards required by the HIPAA Security Rule. This guide covers how to enable HIPAA mode, configure PHI controls, and maintain compliance.


Prerequisites

Before enabling HIPAA mode, ensure:

  1. Enterprise plan — HIPAA mode is available on Enterprise plans
  2. Active BAA — Accept the Business Associate Agreement via Console or API
  3. MFA policy — Set your tenant MFA policy to always or adaptive

Enabling HIPAA mode

Via Console

  1. Navigate to Settings > Compliance > HIPAA
  2. Accept the BAA if you haven't already
  3. Review the readiness checklist
  4. Click Enable HIPAA Mode

Via API

# Step 1: Accept the BAA
curl -X POST https://api.wocha.ai/api/v1/customer/compliance/baa/accept \
  -H "Authorization: Bearer wocha_mgmt_..." \
  -H "Content-Type: application/json" \
  -d '{
    "accepted_by_email": "privacy-officer@example.com",
    "accepted_by_name": "Jane Smith"
  }'
 
# Step 2: Enable HIPAA mode
curl -X POST https://api.wocha.ai/api/v1/customer/compliance/hipaa/enable \
  -H "Authorization: Bearer wocha_mgmt_..."
 
# Step 3: Check readiness
curl https://api.wocha.ai/api/v1/customer/compliance/hipaa/status \
  -H "Authorization: Bearer wocha_mgmt_..."

What HIPAA mode enforces

When HIPAA mode is enabled, the following safeguards are automatically enforced:

SafeguardBehaviour
MFA requiredAll users must complete MFA; sessions without AAL2+ are rejected at token issuance
Token claim minimisationPHI-classified fields are stripped from ID and access tokens unless phi:token scope is granted
API response filteringPHI fields are redacted from Customer API responses unless the API key has phi:read scope
Session auto-logoffIdle timeout (default 15 min, minimum 5 min) and absolute timeout (default 8 hours, minimum 1 hour)
PHI access loggingEvery access to PHI-classified fields generates a hipaa.phi_accessed audit event
Audit retentionAll audit events tagged with regulatory_scope: "hipaa" for 6-year WORM retention

PHI field classification

Wocha does not store PHI in standard identity traits (email, name, phone). However, if your application stores PHI in custom traits (e.g., medical_record_number, date_of_birth), you must classify these fields in the PHI registry.

Via Console

Navigate to Settings > Compliance > HIPAA > PHI Registry and add each field with its classification:

  • PHI — Protected Health Information; filtered from tokens and API responses by default
  • PII — Personally Identifiable Information; logged but not filtered
  • Sensitive — Sensitive but not PHI; logged but not filtered
  • Public — Non-sensitive; no restrictions

Via API

# Register a PHI field
curl -X POST https://api.wocha.ai/api/v1/customer/compliance/phi-fields \
  -H "Authorization: Bearer wocha_mgmt_..." \
  -H "Content-Type: application/json" \
  -d '{
    "field_path": "traits.medical_record_number",
    "classification": "phi",
    "description": "Patient MRN"
  }'

Session policy configuration

HIPAA mode enforces minimum session timeouts. You can configure stricter timeouts per organisation:

curl -X PUT https://api.wocha.ai/api/v1/customer/organisations/{orgId}/security-policy \
  -H "Authorization: Bearer wocha_mgmt_..." \
  -H "Content-Type: application/json" \
  -d '{
    "session_idle_timeout_minutes": 10,
    "session_timeout_minutes": 240
  }'

HIPAA minimums:

  • Idle timeout: 5 minutes minimum
  • Absolute timeout: 60 minutes minimum

Audit log retention and export

HIPAA-mode tenants benefit from:

  • 6-year WORM retention — Audit events are stored in immutable object storage for 6 years per 45 CFR 164.530(j)
  • Structured audit events — All HIPAA events use the hipaa.* event type prefix
  • Log streaming — Forward audit events to your SIEM (Datadog, Splunk, S3, etc.)
  • Export APIGET /api/v1/customer/logs/export?type=audit for ad-hoc exports

HIPAA-specific audit events

Event typeDescription
hipaa.baa_acceptedBAA was accepted
hipaa.baa_terminatedBAA was terminated
hipaa.mode_enabledHIPAA mode was enabled
hipaa.mode_disabledHIPAA mode was disabled
hipaa.phi_accessedPHI fields were accessed via API
hipaa.phi_exportedPHI data was exported
hipaa.emergency_accessEmergency access override was used
hipaa.breach_reportedBreach incident was recorded
hipaa.session_auto_logoffSession was terminated by HIPAA timeout

Breach notification

Wocha includes a built-in breach notification workflow per 45 CFR 164.404-408:

  1. Discovery — Breach is detected and recorded in the breach log
  2. Risk assessment — Four-factor analysis per 45 CFR 164.402(2)
  3. Notification — Affected tenant administrators are notified
  4. HHS reporting — Report template generated for submission to HHS
  5. Remediation — Steps documented and breach marked as resolved

Breach incidents are visible in the Console under Settings > Compliance > HIPAA > Breach Log.


Shared responsibility model

ResponsibilityWochaCustomer
Infrastructure encryption (transit + rest)Yes
MFA enforcement at consentYes
Audit log retention (6 years)Yes
PHI field filteringYesClassify fields
Session timeout enforcementYesConfigure thresholds
Breach detection and notificationYesRespond to notifications
BAA executionYesAccept BAA
Application-level PHI handlingYes
End-user trainingYes
Risk analysis documentationYes
Policies and proceduresYes

API reference

EndpointMethodDescription
/compliance/baaGETCurrent BAA status
/compliance/baa/acceptPOSTAccept BAA
/compliance/baa/historyGETBAA acceptance history
/compliance/hipaa/enablePOSTEnable HIPAA mode
/compliance/hipaa/enableDELETEDisable HIPAA mode
/compliance/hipaa/statusGETHIPAA readiness checklist

All endpoints require the wocha:compliance:manage API scope.


On this page