HIPAA Compliance & Security

Stillpoint provides built-in tools to help your practice meet HIPAA requirements. The Compliance page centralizes your BAA status, audit logging, data retention settings, and encryption information.

Accessing Compliance Settings

Navigate to Settings > Compliance in the sidebar. The page is organized into four tabs: Status, Audit Log, Retention, and Encryption.

Business Associate Agreement (BAA)

The BAA is the legal agreement between your practice (the Covered Entity) and Stillpoint (the Business Associate) governing how Protected Health Information (PHI) is handled.

Accepting the BAA

Open the Status tab on the Compliance page
Click Review & Accept BAA
Read the full agreement in the modal
Enter your Covered Entity name if it differs from your practice name
Click Accept to enable HIPAA mode

Once accepted, the page shows the BAA version, acceptance date, and who accepted it. HIPAA-compliant features (audit logging, data retention controls, encryption info) become available.

Viewing the BAA

After acceptance, click View Agreement to re-read the full BAA at any time.

Audit Log

The audit log records every access to Protected Health Information across your practice:

Who accessed the data (practitioner name and role)
What was accessed (client record, note, form submission)
When the access occurred
Action type (view, create, update, delete)

Access the audit log from the Audit Log tab. The log is searchable and filterable, and it is retained according to your data retention policy.

Data Retention

Configure how long PHI records are kept before becoming eligible for deletion:

Open the Retention tab
Select a retention period (5, 6, 7, or 10 years)
Click Save Settings

HIPAA requires a minimum of 6 years. The default is 7 years. Some states may require longer periods -- consult your compliance officer for specific requirements.

Encryption

The Encryption tab provides information about how your data is protected:

At rest -- All data stored in the database is encrypted using AES-256
In transit -- All connections use TLS 1.2 or higher
Clinical notes -- Encrypted at the application layer with practice-specific keys
Backups -- Database backups are encrypted and stored in a separate region

Quick Stats

When HIPAA mode is active, the Status tab displays summary cards showing:

HIPAA Mode status (Active)
Total audit events recorded
Current BAA version

Tips

Accept the BAA before storing any PHI in Stillpoint
Review the audit log periodically to monitor access patterns
Set your retention period to match your state's requirements, not just the federal minimum
The BAA must be accepted by a practice owner or admin

Business Associate Agreement (BAA)

The BAA is the legal agreement between your practice (the Covered Entity) and Stillpoint (the Business Associate) governing how Protected Health Information (PHI) is handled.

Accepting the BAA

Open the Status tab on the Compliance page

Click Review & Accept BAA

Read the full agreement in the modal

Enter your Covered Entity name if it differs from your practice name

Click Accept to enable HIPAA mode

Once accepted, the page shows the BAA version, acceptance date, and who accepted it. HIPAA-compliant features (audit logging, data retention controls, encryption info) become available.

Viewing the BAA

After acceptance, click View Agreement to re-read the full BAA at any time.

Audit Log

The audit log records every access to Protected Health Information across your practice:

Who accessed the data (practitioner name and role)

What was accessed (client record, note, form submission)

When the access occurred

Action type (view, create, update, delete)

Access the audit log from the Audit Log tab. The log is searchable and filterable, and it is retained according to your data retention policy.

Data Retention

Configure how long PHI records are kept before becoming eligible for deletion:

Open the Retention tab

Select a retention period (5, 6, 7, or 10 years)

Click Save Settings

HIPAA requires a minimum of 6 years. The default is 7 years. Some states may require longer periods -- consult your compliance officer for specific requirements.

Encryption

The Encryption tab provides information about how your data is protected:

At rest -- All data stored in the database is encrypted using AES-256

In transit -- All connections use TLS 1.2 or higher

Clinical notes -- Encrypted at the application layer with practice-specific keys

Backups -- Database backups are encrypted and stored in a separate region

Help Center

HIPAA Compliance & Security

Accessing Compliance Settings

Business Associate Agreement (BAA)

Accepting the BAA

Viewing the BAA

Audit Log

Data Retention

Encryption

Quick Stats

Tips

Related Articles

Ready when you are.

Help Center

HIPAA Compliance & Security

Accessing Compliance Settings

Business Associate Agreement (BAA)

Accepting the BAA

Viewing the BAA

Audit Log

Data Retention

Encryption

Quick Stats

Tips

Related Articles

Ready when you are.