Scope & PHI Inventory¶
Covered Entity / Business Associate Status¶
We operate as a Business Associate — we process, store, and transmit PHI on behalf of covered entities (healthcare providers). Our BAA with AWS is signed, making AWS a sub-Business Associate for the infrastructure we use.
HIPAA Scope Boundary¶
The HIPAA security program applies to:
| Environment | Account | In Scope | Reason |
|---|---|---|---|
| NHC Django API | NHC AWS account | Yes — Primary | Stores and processes PHI |
| NHC Migrated Apps | NHC AWS account | Yes | Connect to Django API, may handle PHI |
| NVS Screenshot Storage (S3) | NVS AWS account | Yes | Screenshots may capture PHI from VA sessions |
| NVS Laravel App | NVS AWS account | Partial | Calls NHC API; does not store PHI directly |
| Management/Root AWS account | Org management | Indirect | Billing and org controls only — no PHI |
PHI Data Inventory¶
| Data Type | Location | Format | Sensitivity |
|---|---|---|---|
| Patient records | NHC Django API (database) | Structured (DB rows) | High |
| PHI transmitted via API | NHC Django API (transit) | JSON/REST | High |
| Screenshots of VA sessions | NVS S3 bucket (to be created) | Image files | High (potential) |
| Migrated app data | NHC account (pending deployment) | TBD | High |
What Is PHI¶
Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained in any form that relates to:
- Past, present, or future physical or mental health of an individual
- Provision of health care to an individual
- Past, present, or future payment for provision of health care
The 18 HIPAA identifiers (names, dates, geographic data, phone numbers, email addresses, SSNs, medical record numbers, etc.) make health information "individually identifiable."
Out of Scope¶
- Developer laptops and local environments (covered by workforce training policy)
- Third-party SaaS tools that do not receive PHI (verify via BAA tracker)
PHI Data Flow Summary¶
See Data Flows for detailed diagrams.
- Patient data enters via NHC Django API
- NVS Laravel calls NHC API to retrieve data for VA sessions
- VA screenshots taken in NVS may render PHI visible — screenshots stored in encrypted S3