HIPAA Compliance Guide
How to enable and configure HIPAA compliance for healthcare workloads on Wocha Cloud.
Wocha Cloud supports HIPAA compliance through a per-tenant opt-in mode that automatically enforces technical safeguards required by the HIPAA Security Rule. This guide covers how to enable HIPAA mode, configure PHI controls, and maintain compliance.
Prerequisites
Before enabling HIPAA mode, ensure:
- Enterprise plan — HIPAA mode is available on Enterprise plans
- Active BAA — Accept the Business Associate Agreement via Console or API
- MFA policy — Set your tenant MFA policy to
alwaysoradaptive
Enabling HIPAA mode
Via Console
- Navigate to Settings > Compliance > HIPAA
- Accept the BAA if you haven't already
- Review the readiness checklist
- Click Enable HIPAA Mode
Via API
What HIPAA mode enforces
When HIPAA mode is enabled, the following safeguards are automatically enforced:
| Safeguard | Behaviour |
|---|---|
| MFA required | All users must complete MFA; sessions without AAL2+ are rejected at token issuance |
| Token claim minimisation | PHI-classified fields are stripped from ID and access tokens unless phi:token scope is granted |
| API response filtering | PHI fields are redacted from Customer API responses unless the API key has phi:read scope |
| Session auto-logoff | Idle timeout (default 15 min, minimum 5 min) and absolute timeout (default 8 hours, minimum 1 hour) |
| PHI access logging | Every access to PHI-classified fields generates a hipaa.phi_accessed audit event |
| Audit retention | All audit events tagged with regulatory_scope: "hipaa" for 6-year WORM retention |
PHI field classification
Wocha does not store PHI in standard identity traits (email, name, phone). However, if your application stores PHI in custom traits (e.g., medical_record_number, date_of_birth), you must classify these fields in the PHI registry.
Via Console
Navigate to Settings > Compliance > HIPAA > PHI Registry and add each field with its classification:
- PHI — Protected Health Information; filtered from tokens and API responses by default
- PII — Personally Identifiable Information; logged but not filtered
- Sensitive — Sensitive but not PHI; logged but not filtered
- Public — Non-sensitive; no restrictions
Via API
Session policy configuration
HIPAA mode enforces minimum session timeouts. You can configure stricter timeouts per organisation:
HIPAA minimums:
- Idle timeout: 5 minutes minimum
- Absolute timeout: 60 minutes minimum
Audit log retention and export
HIPAA-mode tenants benefit from:
- 6-year WORM retention — Audit events are stored in immutable object storage for 6 years per 45 CFR 164.530(j)
- Structured audit events — All HIPAA events use the
hipaa.*event type prefix - Log streaming — Forward audit events to your SIEM (Datadog, Splunk, S3, etc.)
- Export API —
GET /api/v1/customer/logs/export?type=auditfor ad-hoc exports
HIPAA-specific audit events
| Event type | Description |
|---|---|
hipaa.baa_accepted | BAA was accepted |
hipaa.baa_terminated | BAA was terminated |
hipaa.mode_enabled | HIPAA mode was enabled |
hipaa.mode_disabled | HIPAA mode was disabled |
hipaa.phi_accessed | PHI fields were accessed via API |
hipaa.phi_exported | PHI data was exported |
hipaa.emergency_access | Emergency access override was used |
hipaa.breach_reported | Breach incident was recorded |
hipaa.session_auto_logoff | Session was terminated by HIPAA timeout |
Breach notification
Wocha includes a built-in breach notification workflow per 45 CFR 164.404-408:
- Discovery — Breach is detected and recorded in the breach log
- Risk assessment — Four-factor analysis per 45 CFR 164.402(2)
- Notification — Affected tenant administrators are notified
- HHS reporting — Report template generated for submission to HHS
- Remediation — Steps documented and breach marked as resolved
Breach incidents are visible in the Console under Settings > Compliance > HIPAA > Breach Log.
Shared responsibility model
| Responsibility | Wocha | Customer |
|---|---|---|
| Infrastructure encryption (transit + rest) | Yes | — |
| MFA enforcement at consent | Yes | — |
| Audit log retention (6 years) | Yes | — |
| PHI field filtering | Yes | Classify fields |
| Session timeout enforcement | Yes | Configure thresholds |
| Breach detection and notification | Yes | Respond to notifications |
| BAA execution | Yes | Accept BAA |
| Application-level PHI handling | — | Yes |
| End-user training | — | Yes |
| Risk analysis documentation | — | Yes |
| Policies and procedures | — | Yes |
API reference
| Endpoint | Method | Description |
|---|---|---|
/compliance/baa | GET | Current BAA status |
/compliance/baa/accept | POST | Accept BAA |
/compliance/baa/history | GET | BAA acceptance history |
/compliance/hipaa/enable | POST | Enable HIPAA mode |
/compliance/hipaa/enable | DELETE | Disable HIPAA mode |
/compliance/hipaa/status | GET | HIPAA readiness checklist |
All endpoints require the wocha:compliance:manage API scope.