HIPAA Compliance.

doclish is designed to support organizations that handle Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Our platform implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) in our custody.

doclish will execute a Business Associate Agreement (BAA) with any Covered Entity or Business Associate that uses the platform to store, transmit, or process PHI. BAAs are available on all paid plans and can be requested by contacting compliance@doclish.com.

• AES-256 encryption at rest for all stored documents and PHI.
• TLS 1.3 encryption in transit for all data transmissions.
• SHA-256 cryptographic hashing for document integrity verification.
• Role-based access controls (RBAC) limiting PHI access to authorized users.
• Unique user identification and authentication via Passkeys (WebAuthn).
• Automatic session termination after periods of inactivity.
• Immutable, append-only audit logs recording all access to PHI.

• Security risk assessments conducted regularly.
• Workforce training on HIPAA policies and procedures.
• Incident response procedures for potential breaches.
• Sanctions policy for violations of security policies.
• Periodic review and update of security measures.

doclish does not operate physical data centers. All infrastructure is hosted on Cloudflare's global network, which maintains SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. Physical security controls — including facility access, environmental protections, and hardware disposal — are managed by Cloudflare in accordance with their compliance programs.

doclish enforces the minimum necessary standard by default. Users see only the documents and records assigned to their workspace. Cross-tenant data isolation prevents unauthorized access between organizations. Administrative controls allow workspace owners to restrict access to specific documents and contacts.

In the event of a breach of unsecured PHI, doclish will notify affected Covered Entities without unreasonable delay and no later than 60 days from discovery, consistent with 45 CFR § 164.410. Notifications will include the nature of the breach, the types of information involved, recommended mitigation steps, and the corrective actions taken.

PHI is retained in accordance with each organization's retention policy. Upon termination of a BAA or at the request of the Covered Entity, doclish will return or destroy all PHI in its possession, including backup copies, within 30 days. Destruction methods include cryptographic erasure and secure deletion of storage media.

For HIPAA-related inquiries, BAA requests, or to report a potential security incident involving PHI, contact our compliance team at compliance@doclish.com.