HIPAA Compliance

Trialinx for HIPAA-regulated researchers

AES-256 encryption, indefinite audit trail, RBAC, 2FA, and BAAs available. How Trialinx covers HIPAA Safeguards for clinical research.

Health Insurance Portability and Accountability Act · Estados Unidos

What is HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is the US federal law that regulates the privacy and security of Protected Health Information (PHI). It applies directly to researchers collecting identifiable data in the US.

HIPAA has two rules relevant to EDC platforms: the Privacy Rule (use and disclosure of PHI) and the Security Rule (administrative, physical, and technical safeguards to protect electronic PHI — ePHI).

Key Security Rule requirements

Administrative safeguards

Risk management policies, workforce training, incident management, periodic evaluation, and Business Associate Agreements (BAAs).

Physical safeguards

Facility access controls, workstation use policies, device and media security (wiping, disposal).

Technical safeguards

Access control (unique user ID, auto logoff, encryption), audit controls, data integrity, authentication, and secure transmission (TLS).

Breach notification

Mandatory notification to users and the Department of Health and Human Services (HHS) on breach of unsecured PHI, within the rule's timeframes.

How Trialinx meets it

  • AES-256 at rest + TLS 1.2+ in transit — meets 'Encryption and Decryption' Security Rule standard
  • 7-datapoint audit trail with indefinite retention — meets 'Audit controls §164.312(b)'
  • RBAC with unique user IDs and 2FA — meets 'Access control §164.312(a)(1)'
  • Automatic session timeout + token rotation — meets 'Automatic logoff §164.312(a)(2)(iii)'
  • BAA available for Institutional tier customers processing PHI
  • Documented incident response process with <72h notification
  • Study-level data segregation (logical isolation)
  • Public ethics committee documentation, risk assessments, and Privacy Rule evaluation

Shared responsibility

HIPAA compliance is always a shared responsibility. Trialinx provides platform-level technical and administrative controls. The Covered Entity (institution / investigator) is responsible for:

  • Signing the BAA with Trialinx before uploading ePHI
  • Minimizing identifiable data uploaded ('minimum necessary')
  • Obtaining appropriate IRB consent or waiver
  • Training their workforce on their institution's HIPAA policies
  • Configuring collaborator roles and permissions on a need-to-know basis
  • Reporting breaches originating outside the platform

Frequently asked questions

Can I use the free plan with PHI?

We don't recommend using the free plan for identifiable HIPAA-covered data. Signed BAAs are only available on the Institutional plan. For PHI-processing studies, request Institutional from /contact.

Does Trialinx sign BAAs with individual institutions?

Yes, under the Institutional plan we sign a standard BAA per institution. We review reasonable modifications requested by the customer's legal team.

Does HIPAA apply if I'm a non-US researcher?

HIPAA applies when the covered entity or its business associates are in the US, or when processing PHI of US residents. For non-US researchers without US ePHI, GDPR typically applies.

What about HITECH?

HITECH (2009) extends HIPAA requiring business associates to comply directly with the Security Rule and mandating breach notification. Trialinx controls meet both HIPAA and HITECH.

Official resources

Need the package for your ethics committee or DPO?

Contact us and we'll send all the documentation your ethics committee or data protection officer needs.

Request documentation