HIPAA Compliance

LegalLogix is built from the ground up with HIPAA compliance in mind, protecting your clients' protected health information (PHI).

🛡 HIPAA Compliant Platform

Last Updated: January 1, 2025

Personal injury law firms handle sensitive medical records and protected health information (PHI) as part of their daily operations. LegalLogix understands these responsibilities and has implemented comprehensive safeguards to help your firm maintain HIPAA compliance.

1. Our Commitment to HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. As a Business Associate to law firms that handle PHI, StaxxLogix is committed to:

  • Implementing appropriate administrative, physical, and technical safeguards
  • Ensuring the confidentiality, integrity, and availability of PHI
  • Protecting against reasonably anticipated threats and unauthorized uses
  • Ensuring workforce compliance with HIPAA requirements
  • Reporting any security incidents or breaches as required by law

2. Business Associate Agreement (BAA)

StaxxLogix will execute a Business Associate Agreement (BAA) with covered entities as required by HIPAA. The BAA establishes:

  • Permitted uses and disclosures of PHI
  • Safeguards we implement to protect PHI
  • Breach notification procedures and timelines
  • Terms for return or destruction of PHI upon termination
  • Subcontractor compliance requirements

To request a BAA, please contact us at sales@staxxlogix.com.

3. Administrative Safeguards

We have implemented the following administrative safeguards:

Security Management

Formal security policies and procedures governing PHI handling, with regular risk assessments.

Workforce Training

All employees receive HIPAA training and sign confidentiality agreements.

Access Management

Role-based access controls ensure users only access information necessary for their job functions.

Incident Response

Documented procedures for identifying, responding to, and reporting security incidents.

Contingency Planning

Data backup, disaster recovery, and emergency operations plans to ensure PHI availability.

Business Associate Management

Written agreements with all subcontractors who may access PHI, ensuring downstream compliance.

4. Physical Safeguards

Our physical security measures include:

  • Data Center Security: Our infrastructure is hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance certifications
  • Facility Access Controls: Data centers employ 24/7 security, biometric access controls, and video surveillance
  • Workstation Security: Policies governing the use and security of devices accessing PHI
  • Device Controls: Procedures for the receipt, removal, and disposal of hardware containing PHI

5. Technical Safeguards

LegalLogix employs robust technical safeguards to protect PHI:

5.1 Access Controls

  • Unique User Identification: Every user has a unique login credential
  • Automatic Logoff: Sessions timeout after periods of inactivity
  • Multi-Factor Authentication (MFA): Optional MFA via Google Authenticator
  • Role-Based Permissions: Six user levels (Admin, Law Firm Admin, Attorney, Case Manager, Paralegal, Client) with granular access controls

5.2 Encryption

  • Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Data at Rest: All stored data is encrypted using AES-256 encryption
  • Secure Messaging: Internal messaging system designed to keep PHI within the platform, with email notifications that do not contain sensitive content

5.3 Audit Controls

  • Comprehensive Audit Logging: All system activities are logged, including user access, data modifications, and system events
  • Audit Trail Details: Logs capture who, what, when, where (IP address), and how for all CRUD operations
  • Log Retention: Audit logs are retained for the duration required by law and your retention policies
  • Tamper Protection: Audit logs are protected against modification or deletion

5.4 Integrity Controls

  • Input Validation: All user inputs are validated and sanitized
  • SQL Injection Prevention: Parameterized queries protect against database attacks
  • XSS Protection: Content Security Policy (CSP) and output encoding prevent cross-site scripting
  • CSRF Protection: Token-based protection against cross-site request forgery

5.5 Transmission Security

  • HTTPS Enforcement: All connections require HTTPS; HTTP connections are automatically redirected
  • Secure APIs: All API communications are authenticated and encrypted
  • SFTPGo Integration: Secure file transfer protocols for document exchange

6. Secure Messaging Features

LegalLogix includes a secure messaging system specifically designed for HIPAA compliance:

  • In-Platform Messaging: PHI stays within the secure platform rather than being transmitted via email
  • Email Notifications: Notification emails inform users of new messages without including sensitive content
  • Thread-Based Conversations: Organized message threads with full history
  • Read Receipts: Track when messages are delivered and read
  • Message Archiving: All messages are retained according to compliance requirements

7. Client Portal Security

The LegalLogix Client Portal provides secure access for your clients while maintaining HIPAA compliance:

  • Separate Authentication: Clients have dedicated login credentials separate from staff
  • Email Verification: Required email verification for account activation
  • Optional MFA: Multi-factor authentication available for enhanced security
  • Controlled Access: Firms control which documents and information clients can view
  • Session Management: Automatic timeout and secure session handling
  • Document Visibility Controls: Granular settings to show/hide documents from clients

8. Data Backup and Recovery

We maintain comprehensive backup and recovery procedures:

  • Regular Backups: Automated daily backups of all data
  • Geographic Redundancy: Backups stored in multiple geographic locations
  • Encrypted Backups: All backup data is encrypted
  • Recovery Testing: Regular testing of recovery procedures
  • Recovery Time Objective: Systems designed for rapid recovery in case of disaster

9. Breach Notification

In the event of a security incident involving PHI, StaxxLogix will:

  • Investigate and contain the incident immediately
  • Notify affected covered entities within 24 hours of discovery (or as specified in BAA)
  • Provide detailed information about the nature of the breach, data affected, and remediation steps
  • Cooperate fully with covered entities in breach notification to affected individuals and HHS as required
  • Document the incident and response for compliance records

10. Your Responsibilities

While LegalLogix provides a HIPAA-compliant platform, your firm also has responsibilities:

  • User Management: Maintain appropriate user access levels and promptly deactivate departed employees
  • Strong Passwords: Require strong, unique passwords for all users
  • MFA Adoption: Enable and encourage multi-factor authentication
  • Staff Training: Train your staff on HIPAA requirements and proper use of the platform
  • Device Security: Secure devices used to access LegalLogix with passwords, encryption, and antivirus software
  • Incident Reporting: Report any suspected security incidents to us immediately

11. Subcontractors

We use the following subcontractors who may have access to PHI, all of whom maintain HIPAA-compliant practices:

  • Google Cloud Platform: Cloud infrastructure and storage (BAA in place)
  • Google Cloud Document AI: Document processing services (BAA in place)

12. Questions and Contact

For questions about our HIPAA compliance practices, to request a Business Associate Agreement, or to report a security concern:

Note: This page provides an overview of our HIPAA compliance measures. It is not intended as legal advice. Law firms should consult with their own compliance officers and legal counsel regarding their HIPAA obligations.