HIPAA BAA Readiness Checklist
Framing: Infrastructure-Ready vs Executed BAA
Sovereign Git's infrastructure implements the HIPAA Security Rule Technical Safeguards. We document this honestly to help healthcare and health-tech teams evaluate our posture. A signed Business Associate Agreement (BAA) has not yet been executed — that is a legal step requiring authorized signatory (named gate: Iskra + legal counsel).
Healthcare teams storing PHI-adjacent source code (not PHI itself — code that processes PHI) need a BAA with their platform providers if the provider may access PHI. Contact sales to initiate BAA discussion.
HIPAA Security Rule Technical Safeguards — Checklist
| 45 CFR § | Safeguard | Implementation | Status |
|---|---|---|---|
| §164.312(a)(1) | Unique User Identification | Authentik SAML: every access tied to authenticated unique user identity. No shared accounts. | IMPLEMENTED |
| §164.312(a)(2)(i) | Emergency Access Procedure | Admin token in secure vault (/etc/bot-env/). Break-glass procedure documented. | IMPLEMENTED |
| §164.312(a)(2)(iii) | Automatic Logoff | Authentik session timeout configurable per tenant (default 8h, HIPAA profile 1h). | IMPLEMENTED |
| §164.312(a)(2)(iv) | Encryption and Decryption | AES-256 encryption at rest. TLS 1.2+ in transit. BYO-LLM keys: Fernet/AES-256 with HKDF. No plaintext secrets in any log. | IMPLEMENTED |
| §164.312(b) | Audit Controls | F9 cryptographic audit trail: every push, merge, access, and admin action. Append-only Redis Stream. Tamper-evident by design. | IMPLEMENTED |
| §164.312(c)(1) | Integrity Controls | Cryptographic commit hashes (git SHA). F9 stream integrity: entries cannot be modified post-write. TLS prevents transit tampering. | IMPLEMENTED |
| §164.312(d) | Person Authentication | MFA enforced via Authentik (TOTP/WebAuthn). SAML assertion from IdP required for access. No password-only access for enterprise tenants. | IMPLEMENTED |
| §164.312(e)(1) | Transmission Security | TLS 1.2+ on all endpoints. Traefik terminates TLS. No HTTP fallback for authenticated endpoints. | IMPLEMENTED |
| BAA Execution | Signed Business Associate Agreement | BAA template drafted. Requires Iskra (authorized signatory) + legal counsel review and execution. | LEGAL GATE |
HHS 2026 Security Rule Modernization Alignment
- Multi-factor authentication (MFA) for all remote access: implemented via Authentik (TOTP + WebAuthn)
- Encryption of ePHI at rest and in transit: AES-256 at rest, TLS 1.2+ in transit
- Vulnerability scanning of software assets: F1 AI code review (Semgrep OSS) on every PR
- Network segmentation: tenant namespace isolation, no cross-tenant data access
- Audit trail for access to ePHI-adjacent systems: F9 cryptographic audit stream
- Incident response plan documentation: runbooks in Forgejo wiki, alert routing to on-call
- Annual technical risk analysis: not yet formally completed — roadmap item for BAA-tier customers
- Business Associate Agreements with sub-processors: Stripe (payment only) + Authentik (self-hosted, not a sub-processor) + Brevo (notification only, not PHI-adjacent)
AI Code Review and PHI
The AI code review feature (F1) analyzes code diffs. For HIPAA-tier customers: BYO-LLM keys route review requests to a customer-specified LLM endpoint rather than empire-pooled AI services. This means code diffs (which may contain PHI-related logic) are processed only by the customer's chosen model. No code is retained by the review engine beyond the request lifecycle.