HIPAA Compliance Frequently Asked Questions

Only your firm. You control access within your team. Nothing is shared with third parties and everything is encrypted.

We've spoken with multiple discovery commissioners, and they've confirmed that privilege is preserved as long as (1) the client is invited after signing the retainer, and (2) only the law firm has access to the client's info. Quilia checks both boxes—just like email or text communication, it's protected.

Only the attorney or their firm can invite a client to use Quilia. This ensures attorney-client privilege starts at the right point—after a retainer is signed—and no outside party is ever involved in the onboarding process.

Only the attorney and their authorized team. Client-submitted data is not visible to doctors, insurance companies, or any third party—keeping everything squarely within attorney-client privilege.

Yes. We meet all HIPAA requirements and maintain ongoing compliance monitoring. We use dual-layer encryption (database-level AES-256 + custom application-level AES-256-GCM), enforced multi-factor authentication, and enterprise-grade cloud infrastructure from SOC 2 certified providers like Supabase, Vercel, and Expo.

It means client medical and personal data is protected with enterprise-grade security including dual-layer encryption, row-level security (RLS), role-based access controls, automated daily backups, real-time monitoring, and comprehensive audit logging. We handle PHI with the same strict safeguards as hospitals and healthcare providers.

Yes. Every message, document, and treatment update is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Our CaseChat real-time messaging feature includes encrypted WebSocket connections, secure cross-platform sync, and automatic translation services. All data is protected with row-level security ensuring only your authorized team can access it.

We can provide a Business Associate Agreement (BAA) if your organization requires one. Our standard BAA includes all required HIPAA provisions and can be customized to meet your specific needs. Contact our compliance team to request a BAA or learn more about our HIPAA compliance program.

Quilia uses enterprise-grade, SOC 2 certified cloud providers including Supabase for database and authentication, Vercel for web portal and API functions, and Expo for mobile app infrastructure. All providers maintain comprehensive physical security controls, 24/7 monitoring, and regular security audits.

Quilia implements dual-layer encryption for maximum security. First, Supabase provides AES-256 encryption for all data at rest at the database level. Second, we use custom AES-256-GCM application-level encryption for sensitive integration credentials and session data. All data in transit uses TLS 1.3 encryption.

Row-level security ensures that users can only access data they are authorized to view at the database level. This means clients can only see their own case data, attorneys can only access their firm's data, and system administrators have appropriate access controls. It's implemented at the database level for maximum security.

Our CaseChat feature uses encrypted WebSocket connections with authentication and authorization controls. All messages are encrypted in transit using TLS 1.3 and stored encrypted at rest. The system includes secure cross-platform synchronization, automatic translation services, and read receipt tracking while maintaining HIPAA compliance.

Quilia maintains ongoing compliance monitoring through regular security assessments, policy reviews, and continuous improvement of our security measures. Our compliance program includes comprehensive audit logging, regular security updates, and monitoring to ensure we meet all HIPAA requirements for data protection, access control, and incident response procedures.

All Case Management System (CMS) integration credentials are encrypted using AES-256-GCM before storage. We use API-only integration, meaning we don't store PHI from external CMS systems - we only sync case metadata and facilitate communication. Supported systems include Clio, Filevine, MyCase, Smokeball, Neos, and SmartAdvocate.

Quilia maintains automated daily backups through Supabase with geographically distributed storage for redundancy. We have point-in-time recovery capabilities, regular backup testing, and comprehensive disaster recovery procedures with defined recovery time objectives. All backup data is encrypted and stored securely.

Quilia maintains comprehensive incident response procedures with a dedicated team including security, legal, and technical personnel. Our response includes immediate detection and assessment, containment measures, investigation and root cause analysis, notification to affected parties as required by HIPAA, remediation measures, and documentation. We also have breach notification procedures in place.