G8KEPR implements the technical and administrative safeguards required by the HIPAA Security Rule. We will sign a Business Associate Agreement before your deployment processes any ePHI.
What "HIPAA-ready" means here. G8KEPR implements the technical controls required by the HIPAA Security Rule and will sign a BAA before your deployment processes ePHI. We are not formally audited by a third-party HIPAA compliance assessor. Physical safeguards (device tracking, visitor logs) are partially implemented. Our 75% readiness score reflects the current state of our safeguard tracking — not a certification claim.
The Security Rule organizes safeguards into three categories. Here is where G8KEPR stands in each.
§164.312(a)(1)RBAC with least-privilege + MFA enforced on all ePHI access paths
§164.312(b)Centralized tamper-proof audit logging with 7-year retention
§164.312(d)SSO + hardware token MFA deployed organization-wide
§164.312(e)(1)TLS 1.3 enforced on all ePHI transit paths; no fallback to TLS 1.2
§164.312(c)(1)Checksums in place; real-time tamper detection in progress
§164.308(a)(1)Annual risk assessment completed Q1 2026; documented in security policy
§164.308(a)(3)Role-based security training; annual completion tracking in progress
§164.310(a)(1)Badge access active; visitor log digitization in progress
§164.310(d)(1)Policy drafted; automated device inventory tooling not yet deployed
These are the specific technical measures in place — not marketing copy. Each maps to a Security Rule requirement.
AES-256 for all ePHI stored in PostgreSQL. Field-level encryption for the most sensitive identifiers (SSN, diagnosis codes).
TLS 1.3 enforced end-to-end. All API endpoints reject plaintext connections. Certificate pinning on internal service-to-service calls.
Row-Level Security (RLS) in PostgreSQL ensures each organization can only query its own ePHI — even if application code had a bug.
Hash-chained audit log entries. Every read, write, and export of ePHI is recorded with user, timestamp, and a cryptographic link to the previous record.
HIPAA requires 6 years. G8KEPR retains audit logs for 7 years by default. Configurable up to 10 years for organizations that need it.
Unusual ePHI access patterns (bulk exports, off-hours queries, role mismatches) are flagged in real time and generate alerts.
A Business Associate Agreement is required before G8KEPR processes any ePHI on your behalf. The process is straightforward — typical turnaround is 1–2 business days.
Contact us via the form below. Tell us which PHI types your deployment will process and your organization name.
We confirm the covered services, PHI types, and your obligations as a covered entity. Typically a 1–2 day turnaround.
Sign electronically via DocuSign. Executed BAA stored in the compliance dashboard under Business Associate Agreements.
§164.312(b) requirement: 6 years
Logs are hash-chained — each record links to the previous, making retroactive tampering detectable. Exportable in standard formats for auditors.
§164.400–414 Breach Notification Rule
G8KEPR can run entirely on your own servers. No data ever transits a third-party cloud — your BAA obligations are significantly simpler.
Deploy on-premises or in your own cloud account. ePHI stays within your security boundary — you are the only covered entity in the picture.
Helm chart for production deployments. Runs in existing hospital or health system Kubernetes clusters with RBAC and namespace isolation.
When self-hosted, G8KEPR is not a business associate — it is your software. BAA still covers any support or monitoring access we have to your environment.
We will walk through the technical controls, sign the BAA, and help you map your compliance requirements to the G8KEPR configuration.