HIPAA Security Rule Assessment

2.1Scope

The HIPAA Security Rule applies when Nutan acts as a business associate of a covered entity processing Electronic Protected Health Information (ePHI). This assessment covers every required and addressable specification in §§164.308, 164.310, 164.312, and 164.316.

2.2§164.308(a)(1)(i) · Security Management Process

Required. Nutan implements a continuous risk analysis and management program executed by the security agent. The agent evaluates threats, vulnerabilities, likelihood, and impact on ePHI, then prioritises remediation.

2.3§164.308(a)(1)(ii)(A) · Risk Analysis

Required. A formal risk analysis is conducted on every release. The most recent analysis identified the following residual risks, all rated Low:

• Device loss with cached ePHI — mitigated by industry-standard strong encryption tied to the OS secure keychain
• Unintended transcription of PHI in calls where the user forgot Nutan was capturing — mitigated by active-capture indicators and post-meeting review UI
• Token compromise via device-level malware — mitigated by OS-level keychain protections and automatic token rotation

2.4§164.308(a)(1)(ii)(B) · Risk Management

Required. Identified risks are tracked in the risk register with owners (agents), deadlines, and remediation status. Risks rated High or Critical trigger immediate remediation.

2.5§164.308(a)(1)(ii)(C) · Sanction Policy

Required. Because Nutan has no human employees, the sanction-policy intent is met by automated rollback and quarantine of any agent output found non-compliant.

2.6§164.308(a)(1)(ii)(D) · Information System Activity Review

Required. System activity is reviewed continuously by the monitoring agent. Weekly summaries are produced and archived.

2.7§164.308(a)(2) · Assigned Security Responsibility

Required. The founder is the named security official. Day-to-day execution is delegated to scoped agents.

2.8§164.308(a)(3) · Workforce Security

Required. Workforce security specifications (authorisation, clearance, termination) apply to agents in Nutan's context. Each agent's scope, activation, and deactivation is documented and logged.

2.9§164.308(a)(4) · Information Access Management

Required. Access to ePHI is restricted to the authenticated user. No Nutan agent or staff has back-door access.

2.10§164.308(a)(5) · Security Awareness and Training

Addressable. Implemented through encoded policies in agent workflows. Agents cannot execute operations outside their scoped awareness of the policy set.

2.11§164.308(a)(6) · Security Incident Procedures

Required. Incident identification and response is performed by the incident response agent. Incidents are logged, severity-classified, and escalated on a defined schedule. The Covered Entity is notified within 72 hours of confirmed breach.

2.12§164.308(a)(7) · Contingency Plan

Required. Contingency planning is covered by (i) the local-first architecture — the product remains usable offline — and (ii) continuous deployment that exercises the restore path on each release.

2.13§164.308(a)(8) · Evaluation

Required. Technical and non-technical evaluation is performed continuously. This attestation is regenerated on each release.

2.14§164.308(b)(1) · Business Associate Contracts

Required. Business Associate Agreements can be executed online at nutan.ai/trust-center/baa. The executed counterpart is retained with a unique document ID.

2.15§164.310(a)(1) · Facility Access Controls

Required. Nutan operates no facilities of its own. Hosting facilities are managed by providers under their own HIPAA-compliant attestations.

2.16§164.310(b) · Workstation Use

Required. The customer is responsible for workstation policies on their devices. Nutan provides guidance and sets safe defaults (local encryption, auto-lock honoured by the OS).

2.17§164.310(c) · Workstation Security

Required. Covered by the OS-level protections on each user device. Nutan relies on the host OS's disk encryption, login authentication, and screen lock.

2.18§164.310(d)(1) · Device and Media Controls

Required. Device and media controls are implemented by the customer's device lifecycle. Nutan's data is cryptographically erased when the local database is deleted.

2.19§164.312(a)(1) · Access Control

Required. Access control is implemented through unique user identification, emergency access procedures (via the documented account recovery flow), automatic logoff (honouring OS settings), and encryption and decryption of ePHI.

2.20§164.312(a)(2)(i) · Unique User Identification

Required. Every authenticated session is tied to a unique user ID issued on first sign-in.

2.21§164.312(a)(2)(ii) · Emergency Access Procedure

Required. Emergency access to the user's own data is provided via the account recovery flow, which uses secondary email verification.

2.22§164.312(a)(2)(iii) · Automatic Logoff

Addressable. Sessions respect OS-level inactivity settings. Users can configure shorter timeouts in-product.

2.23§164.312(a)(2)(iv) · Encryption and Decryption

Addressable — implemented. All stored ePHI is protected with industry-standard strong encryption. Keys are generated on-device and stored in the OS secure keychain.

2.24§164.312(b) · Audit Controls

Required. An immutable audit log records every access to ePHI with user identity, action, timestamp, and outcome.

2.25§164.312(c)(1) · Integrity

Required. Stored ePHI is protected against unauthorised alteration by access controls and cryptographic integrity checks.

2.26§164.312(c)(2) · Mechanism to Authenticate ePHI

Addressable — implemented. Each ePHI record is authenticated by the encryption envelope that wraps it. Tampering invalidates the authentication tag.

2.27§164.312(d) · Person or Entity Authentication

Required. Users are authenticated via standards-based OAuth with automatic token rotation.

2.28§164.312(e)(1) · Transmission Security

Required. All network transmissions use modern TLS. Strict transport security prevents downgrade attacks.

2.29§164.312(e)(2)(i) · Integrity Controls

Addressable — implemented. TLS provides integrity controls on every transmission.

2.30§164.312(e)(2)(ii) · Encryption

Addressable — implemented. End-to-end encrypted transport is required for all network activity.

2.31§164.316(a) · Policies and Procedures

Required. Policies are encoded in agent workflows and this attestation. Changes are version-controlled.

2.32§164.316(b) · Documentation

Required. Documentation is maintained for six years from creation or last effective date. Attestations are archived under the documentId issued at generation.

2.33Business Associate Agreement

A Business Associate Agreement (BAA) can be executed online at nutan.ai/trust-center/baa — no email round-trip required. The Covered Entity fills in their details, the agreement is counter-signed by Nutan automatically, and a document ID is issued on submission.

2.34Summary

All Required specifications of the HIPAA Security Rule are implemented. Addressable specifications are implemented except where reasonable and appropriate to defer to the OS or Covered Entity environment, with justification. No exceptions are noted.