HIPAA Compliance
How SuiteIQ's EHR-agnostic architecture aligns with HIPAA requirements.
Zero Patient Data by Design
SuiteIQ is built from the ground up to operate without collecting, storing, or transmitting Protected Health Information (PHI). Our EHR-agnostic architecture means we never connect to your EHR, never receive patient data, and never need access to clinical systems. Every data point we capture is an operational timestamp — not a medical record.
What HIPAA Considers PHI
Under HIPAA's Privacy Rule, Protected Health Information includes any of the following 18 identifiers when linked to health information:
SuiteIQ stores none of these identifiers in the context of patient health information. The only personal information we hold is hospital staff contact details (name, phone, email) for operational notifications — not patient data.
What SuiteIQ Actually Captures
All data points are operational, not clinical:
| Data Point | Example | PHI? |
|---|---|---|
| Milestone timestamps | 2026-04-15 14:32:01 | No |
| Room assignment | OR-3 | No |
| Surgeon name | Dr. Smith | No* |
| Case label | Case 3 | No |
| OTES score | 86.2 | No |
| Delay reason | Equipment issue | No |
| Staff contact info | nurse@hospital.org | No** |
* Surgeon names are professional directory information, not linked to patient health data.
** Staff contact information is employee PII, not patient PHI.
HIPAA Safeguards We Implement
Although SuiteIQ does not store PHI, we implement HIPAA-aligned safeguards as a best practice for healthcare-adjacent software:
Administrative Safeguards
- ✓ Role-based access control with least-privilege enforcement
- ✓ Hospital-scoped data isolation (multi-tenant access controls)
- ✓ Append-only audit log of all privileged actions
- ✓ Automated data retention and purge (90-day default)
- ✓ Admin-only user provisioning (no self-signup)
Technical Safeguards
- ✓ Encryption at rest (AES-256 for RDS, S3; KMS CMK for logs)
- ✓ Encryption in transit (TLS 1.2+ on all public endpoints)
- ✓ MFA-protected sign-in (TOTP; mandatory in production)
- ✓ httpOnly session cookies (tokens never exposed to the browser)
- ✓ Sensitive data redaction in logs (phone/email masking)
- ✓ AWS CloudTrail for infrastructure-level audit
Physical Safeguards
- ✓ AWS-managed data centers (SOC 2, ISO 27001, FedRAMP certified)
- ✓ No on-premises infrastructure; fully cloud-native
- ✓ VPC network isolation with private subnets for all data-tier components
Business Associate Agreements
SuiteIQ maintains a Business Associate Agreement (BAA) with AWS, our sole infrastructure provider. For hospitals that require a BAA with SuiteIQ — even though we do not access or store PHI — we are prepared to execute one upon request.
Contact compliance@suiteiq.io for BAA inquiries.
AI & Data Processing
SuiteIQ's Turnover Intelligence feature uses AWS Bedrock (Claude) to analyze historical OTES data and generate scheduling optimization insights. Important safeguards:
- ✓ Only operational metrics (OTES scores, timestamps, room IDs) are sent to the AI model — never patient identifiers
- ✓ AWS Bedrock does not retain input data or use it for model training
- ✓ AI responses are cached (Redis, 60-min TTL) and purged automatically
- ✓ Per-hospital invocation caps prevent runaway costs
- ✓ Rule-based fallback when AI is unavailable — the platform never stops functioning
Questions?
For HIPAA compliance inquiries or to request a BAA:
compliance@suiteiq.io
Privacy Officer: Chevella Mack, CEO
Disclaimer: This page describes SuiteIQ's approach to HIPAA-aligned security practices. It does not constitute legal advice. Hospitals should consult their own legal counsel and compliance teams to determine their specific HIPAA obligations with respect to SuiteIQ's platform. SuiteIQ's architecture is designed to avoid handling PHI, but each covered entity is responsible for its own compliance assessment.