HIPAA Compliance
Leo is designed from the ground up to meet and exceed HIPAA requirements for protecting your Protected Health Information (PHI). We implement all required safeguards and maintain a rigorous security program.
Note: While Leo implements all HIPAA-required safeguards, our BAA with Google Cloud and official third-party certification are currently in progress. Contact us for our current compliance documentation.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards for protecting sensitive patient health information. HIPAA requires healthcare organizations and their business associates to implement administrative, physical, and technical safeguards.
Administrative Safeguards
All Implemented- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness Training
- Security Incident Procedures
- Contingency Plan
- Evaluation
Physical Safeguards
All Implemented- Facility Access Controls
- Workstation Use Policies
- Workstation Security
- Device and Media Controls
Technical Safeguards
All Implemented- Access Control
- Audit Controls
- Integrity Controls
- Person/Entity Authentication
- Transmission Security
How We Protect Your PHI
We go beyond minimum requirements to provide comprehensive protection for your Protected Health Information.
AES-256 Encryption
All PHI is encrypted at rest using AES-256-GCM, the same standard used by the U.S. government for classified information.
Field-Level Encryption
Sensitive health data fields receive additional encryption, so even database administrators cannot read your information.
Audit Logging
Every access to PHI is logged with tamper-evident audit trails maintained for 7+ years as required by HIPAA.
Role-Based Access
Healthcare providers only see the minimum necessary information. Access is controlled by your explicit consent.
TLS 1.3 Transport
All data in transit is protected with TLS 1.3 encryption with certificate pinning to prevent interception.
Isolated Infrastructure
Healthcare data is stored in isolated, HIPAA-compliant data centers with physical and logical separation.
Certification Timeline
Our journey to third-party validated HIPAA compliance.
BAA with Google Cloud
In ProgressBusiness Associate Agreement with Google Cloud Platform in progress
2025
HIPAA Controls Implementation
CompleteAll required administrative, physical, and technical safeguards implemented
2025
Internal Security Audit
CompleteComprehensive review of all HIPAA compliance controls
2025
Third-Party Assessment
In ProgressIndependent third-party HIPAA compliance assessment
2026
SOC 2 Type II Audit
PlannedSecurity, availability, and confidentiality audit by certified auditor
2026
HITRUST CSF Certification
PlannedHealthcare industry gold standard certification
2026
Your HIPAA Rights
HIPAA gives you important rights regarding your Protected Health Information.
Right to Access
You can access all your PHI stored in Leo at any time through the app or by requesting an export.
Right to Amendment
You can request corrections to any inaccurate health information in your record.
Right to Accounting
You can request a list of all disclosures of your PHI made by Leo.
Right to Restriction
You can request restrictions on how we use or disclose your PHI.
Right to Delete
You can request complete deletion of your PHI from our systems.
Right to Breach Notice
You will be notified within 60 days if your PHI is involved in a security breach.
Business Associate Agreements
If your organization requires a Business Associate Agreement (BAA) for HIPAA compliance, we are actively working on establishing BAAs with our cloud infrastructure providers.
Questions About HIPAA Compliance?
Our compliance team is happy to discuss our HIPAA implementation, provide documentation, or address specific requirements for your organization.