HIPAA and HITECH

Health Gorilla operates as a HIPAA-compliant Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

• All data exchanges are encrypted in transit and at rest.
• Audit trails, access controls, and role-based permissions are enforced.
• Business Associate Agreements (BAAs) are executed with covered entities and clients handling protected health information (PHI).

SOC 2 Type II

Health Gorilla has achieved SOC 2 Type II certification, demonstrating ongoing adherence to controls for security, availability, processing integrity, confidentiality, and privacy.

• Annual third-party audits validate operational effectiveness.
• Policies and procedures align with AICPA Trust Services Criteria.
• Reports are available to clients upon request under NDA.

TEFCA Participation

Health Gorilla is a designated Qualified Health Information Network (QHIN) under the Trusted Exchange Framework and Common Agreement (TEFCA).

• Supports the exchange of clinical data across QHINs.
• Implements required exchange purposes and security controls.
• Follows Common Agreement and QHIN Technical Framework specifications.

Interoperability Standards

The solution complies with ONC-certified standards and industry protocols for healthcare data exchange, including:

• HL7® FHIR® (Fast Healthcare Interoperability Resources)
• HL7 v2 and CDA (Clinical Document Architecture)
• USCDI (United States Core Data for Interoperability)
• IHE profiles such as XCA and XDS.b for federated exchange

Client Responsibilities

While Health Gorilla provides a secure and standards-based infrastructure, clients are responsible for:

• Configuring secure endpoints, access controls, and credentials
• Monitoring API usage and audit logs for suspicious activity
• Ensuring downstream systems follow required privacy and consent policies
• Meeting all applicable regulatory obligations in their jurisdiction