At BajaWell, we are committed to developing software solutions that support our clients' compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. This statement outlines our approach to healthcare data protection in the software we build.

1. Our Role

BajaWell is a custom software development company that builds healthcare technology solutions. When our services involve access to Protected Health Information (PHI), we operate as a Business Associate under HIPAA. In such cases, we enter into a Business Associate Agreement (BAA) with the covered entity (our client) before any PHI is accessible.

2. Technical Safeguards We Implement

All healthcare software solutions developed by BajaWell incorporate the following technical safeguards as required by the HIPAA Security Rule:

Access Controls: Role-based access control (RBAC), unique user identification, automatic session timeouts, and multi-factor authentication where applicable.
Encryption: Data encryption in transit (TLS 1.2+) and at rest (AES-256), including database encryption and encrypted backups.
Audit Controls: Comprehensive logging of system access, data modifications, and user activities with tamper-evident audit trails.
Integrity Controls: Data validation, checksums, and version control to protect against unauthorized alteration of ePHI.
Transmission Security: Secure APIs, encrypted communication channels, and certificate-based authentication for system integrations.

3. Administrative Safeguards

Our development processes include:

Security awareness training for all development team members.
Background checks and confidentiality agreements for personnel with access to client systems.
Documented security policies and procedures.
Regular risk assessments of systems under development and in production.
Incident response procedures and breach notification protocols.

4. Physical Safeguards

Our development environment maintains:

Secure workstation policies with encrypted hard drives and screen lock requirements.
Cloud infrastructure hosted with HIPAA-compliant providers.
Controlled access to development and production environments.
Secure disposal of hardware and media containing PHI.

5. Development Best Practices

Every healthcare project at BajaWell follows these security-focused development practices:

Secure Software Development Lifecycle (SSDLC) methodology.
Code reviews with security-focused checklists.
Automated vulnerability scanning and dependency auditing.
Penetration testing before production deployment.
Minimum necessary principle applied to all data access patterns.
PHI de-identification in testing and development environments.

6. Business Associate Agreements

For projects that involve PHI, BajaWell:

Executes a BAA with each covered entity client before engagement begins.
Maintains BAAs with all subcontractors who may access PHI.
Ensures cloud hosting and third-party services used in HIPAA projects are BAA-covered.
Documents all PHI data flows and access points.

7. Breach Notification

In the event of a security incident involving PHI, BajaWell will:

Notify the affected covered entity without unreasonable delay, and no later than 60 days from discovery.
Provide full details of the breach including the nature and extent of PHI involved.
Cooperate with the covered entity's investigation and remediation efforts.
Document the incident and corrective actions taken.

8. Client Responsibility

While BajaWell implements robust technical safeguards, it is important to note that:

HIPAA compliance is a shared responsibility between BajaWell and the covered entity.
Clients are responsible for their own administrative and physical safeguards.
Clients must ensure proper user training and access management within deployed systems.
Clients should conduct their own risk assessments and maintain their own compliance programs.

9. Continuous Improvement

We regularly review and update our security practices to address emerging threats and changes in regulatory requirements. Our compliance program includes annual reviews of policies, procedures, and technical controls.

10. Contact

For questions about our HIPAA compliance practices or to request a copy of our BAA template:

Privacy and Compliance: privacy@bajawell.com
General Support: support@bajawell.com
Address: BajaWell - Luis Pulido Diaz, Calle Fernando 4531, El Paraiso 22106, Tijuana, Baja California, Mexico

Disclaimer: This statement is provided for informational purposes and does not constitute legal advice. BajaWell recommends that covered entities consult with qualified legal counsel regarding their HIPAA compliance obligations.

HIPAA Compliance Statement