Security and Compliance


Oystehr is HIPAA (opens in a new tab) compliant from the ground up.

A dedicated security team ensures our systems are secure and compliant with HIPAA regulations and a dedicated compliance team does the same for our policies and procedures.

Employees complete annual HIPAA training and certify their understanding of HIPAA policies and procedures. Additionally, employees are granted the least permissions necessary. As a result, very few employees have any access to PHI at all.


Oystehr's infrastructure as code toolset uses HIPAA-specific linters (opens in a new tab) which run with every infrastructure build, alerting us to any potential HIPAA-concerns before infrastructure deploys even in the lowest environments. We also monitor HIPAA-compliance at runtime using the AWS Config HIPAA Conformance Pack (opens in a new tab).

These tools help us to enforce encryption at rest and in transit as required by HIPAA.

Business Associates and Service Partners

Oystehr maintains BAAs with all underlying service partners accessing PHI. This legally establishes the appropriate chain of liability and means that you can be confident partners will comply with their obligations including:

  • Encrypting PHI both at rest and in transit
  • Responding promptly to patient requests to retrieve or amend PHI
  • Sending timely notifications in the event of a data breach

Your single BAA with Oystehr covers the broad variety of uses for any Oystehr service you invoke. Of course, adhering to a BAA is a shared responsibility between the Covered Entity and the Business Associate, so we encourage you contact us if you need help or have questions about appropriately securing your Oystehr data or service use.

Our Customers

Oystehr maintains a Business Associate Agreement (BAA) with all of our customers, whether they are Covered Entities or Business Associates themselves. You can find our BAA here (opens in a new tab).

While testing out Oystehr using the Sandbox Project, customers are required to not persist any PHI. Only once the HIPAA BAA is signed are customers allowed to persist PHI in Oystehr.

HIPAA Officer Contact

If you have questions or concerns about HIPAA compliance at Oystehr, please contact our HIPAA Officers.

Additional resources