Korafy

HIPAA compliance isn't optional. We know.

Korafy was built for clinical workflows from day one. Here's exactly how we protect your patients' data.

HIPAA Safeguards

All three safeguard categories. Fully implemented.

Administrative Safeguards

  • Designated HIPAA Security Officer
  • Workforce training on PHI handling
  • Risk assessments conducted quarterly
  • Incident response plan in place
  • Business Associate Agreements with all vendors

Physical Safeguards

  • Cloud-hosted — no on-premise servers
  • HIPAA-eligible cloud infrastructure with SOC 2 compliance
  • Facility access controls via cloud provider
  • Workstation use policies enforced

Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access control (RBAC)
  • Comprehensive audit logging
  • Automatic session timeout
  • Multi-factor authentication (MFA)

Infrastructure

How your data is stored and protected.

Encrypted Data Storage

All PHI is encrypted at rest using AES-256 and in transit using TLS 1.3. Database backups are encrypted and stored in geographically redundant locations.

HIPAA-Compliant Infrastructure

Korafy runs on HIPAA-eligible cloud infrastructure with end-to-end BAA coverage across our entire data pipeline. Our hosting and data services are selected specifically for their ability to execute Business Associate Agreements and their compliance with HIPAA security requirements.

Business Associate Agreements

We execute BAAs with every vendor that touches PHI — including our hosting provider, database service, fax transmission service, and any subprocessors involved in the authorization workflow.

Audit Logging

Every access to PHI is logged with timestamp, user identity, and action taken. Logs are immutable and retained for a minimum of 6 years, supporting both HIPAA requirements and practice-level compliance audits.

Compliance Roadmap

Where we are. Where we're going.

HIPAA Administrative, Physical & Technical Safeguards

All three safeguard categories implemented and documented.

Business Associate Agreements

BAAs executed with all subprocessors handling PHI.

SOC 2 Type I Audit

In Progress

Security controls audit underway. Target completion: Q3 2026.

SOC 2 Type II Audit

Planned

Continuous monitoring audit planned for Q1 2027.

Questions about our security? Let's talk.

We're happy to walk through our security posture, sign a BAA, and answer any compliance questions your team has.