New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

HIPAA (US healthcare)

Koji's posture on the US Health Insurance Portability and Accountability Act for enterprise customers in healthcare and life sciences.

Last updated: May 2026Applies to: Enterprise customers in US healthcare with executed BAA
Short answer: HIPAA support is configured on Koji's enterprise tier as part of customer onboarding. The technical safeguards required by the HIPAA Security Rule are operational across our platform today; BAA execution between Koji and the covered-entity customer, along with sub-processor BAA verification, is finalized during the enterprise engagement. The standard self-serve tier is configured for non-PHI workloads.

How HIPAA support works

HIPAA is a US federal law, not a certification. There is no official HIPAA audit or certificate that vendors hold. A vendor supports HIPAA workloads when it (a) implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule and (b) executes a Business Associate Agreement (BAA) with each covered entity it serves.

Koji's enterprise tier addresses both requirements: the underlying Security Rule controls run today on every deployment, and the BAA between Koji and the covered-entity customer is executed as part of the enterprise contract. Healthcare customers complete a per-engagement configuration review with our compliance team before any PHI is processed.

What "HIPAA-ready" includes at Koji

Administrative safeguards

  • Written information security and HIPAA policies
  • Designated security and privacy officers
  • Workforce security awareness training, with HIPAA-specific modules
  • Role-based access management with documented authorization workflows
  • Incident response procedures with breach notification commitments
  • Documented business continuity and contingency planning
  • Periodic risk analysis covering systems that may handle PHI

Physical safeguards

Koji does not operate physical infrastructure. Physical safeguards are inherited from the cloud providers (AWS, Google Cloud) underlying our managed platforms (Supabase, Vercel), all of which hold SOC 2 Type II attestations covering physical security.

Technical safeguards

  • Access control: Unique user identification, SAML SSO with MFA, automatic session timeouts, role-based authorization, audit logging of access events.
  • Audit controls: Hardware, software, and procedural mechanisms record activity in systems that may handle PHI. Logs retained for the six-year period required by HIPAA.
  • Integrity: Database-level integrity controls prevent unauthorized modification; row-level security policies enforce tenant isolation.
  • Authentication: SSO via the customer's identity provider; no shared credentials.
  • Transmission security: TLS 1.2 or higher for all network traffic; AES-256 encryption at rest.

Sub-processor BAAs

For HIPAA workloads, BAA verification with each sub-processor in the data path is part of the enterprise onboarding configuration. Our primary sub-processors offer BAAs on their higher service tiers; Koji's HIPAA configuration is provisioned on those tiers so the BAA chain is in place before any PHI is processed:

  • Supabase (database, authentication, storage) offers BAAs on the Team and Enterprise tiers. Koji's HIPAA-configured deployments are provisioned on those tiers.
  • Vercel (application, edge compute) offers a BAA on the Enterprise tier. Koji's HIPAA-configured deployments are provisioned on that tier.
  • Model providers. Enterprise customers processing PHI through Koji-recommended models use providers whose enterprise tier supports a BAA (for example, OpenAI Enterprise, Anthropic for Work, Azure OpenAI Service, Google Cloud Vertex AI). Customers using their own LLM contracts rely on the BAA between themselves and their model provider.

Tier scope and roadmap

  • Standard self-serve tier: configured for non-PHI workloads. Customers handling PHI move to the enterprise tier where BAAs and the HIPAA-specific configuration are in place.
  • HITRUST CSF certification is on our longer-term roadmap. Customers with a HITRUST requirement can email [email protected] to discuss timing and any interim mitigations relevant to their procurement.

How to get the BAA in place

  1. Email [email protected] with the subject "BAA request" and your covered entity name.
  2. We send the standard Koji BAA, which incorporates the required HIPAA Business Associate provisions and is consistent with our DPA.
  3. On counter-signature, your deployment is provisioned (or re-provisioned, if you are an existing standard-tier customer) on the HIPAA-configured enterprise stack.
  4. We confirm sub-processor BAAs and extended audit-log retention are in effect for your deployment.

Customer responsibilities under HIPAA

HIPAA places obligations on both the covered entity and the business associate. As the covered entity, the customer is responsible for:

  • Determining the minimum necessary PHI to use the platform for the intended purpose.
  • Providing patients with the privacy notices required under HIPAA.
  • Obtaining authorizations where required by the Privacy Rule.
  • Configuring access controls within the platform to limit access to the workforce members who need it.
  • Notifying Koji of any privacy or security incidents on the customer's side that may affect PHI in the Koji platform.

Questions

For BAA execution and HIPAA-specific questions, email [email protected]. For security questionnaire responses covering HIPAA controls, email [email protected].

Questions about this document? Contact compliance.Back to compliance hub