HIPAA Compliance Documentation

Last Updated: September 1, 2025

Record System, Inc. ("Quilia") is committed to maintaining full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. As a Business Associate providing services to law firms, medical providers, and their clients who handle medical information, we have implemented comprehensive administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

This document outlines our HIPAA compliance program, security measures, and procedures for protecting PHI in accordance with 45 CFR Parts 160 and 164.

Table of Contents

1. HIPAA Compliance Statement
2. Third-Party Assessments
3. Business Associate Agreements
4. Administrative Safeguards
5. Physical Safeguards
6. Technical Safeguards
7. Data Protection Measures
8. Incident Response Procedures
9. Training and Compliance
10. Audit and Monitoring
11. Compliance Contact Information

1. HIPAA Compliance Statement

Quilia acknowledges its status as a Business Associate under HIPAA and is committed to maintaining full compliance with all applicable HIPAA requirements. We understand our obligations to protect PHI and have implemented comprehensive policies, procedures, and technical safeguards to ensure compliance.

Compliance Scope:

• HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164)
• HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)
• HIPAA Breach Notification Rule (45 CFR Part 160 and Subparts A and D of Part 164)
• HITECH Act requirements for Business Associates

2. Third-Party Assessments

Quilia has undergone comprehensive third-party compliance assessments to validate our HIPAA compliance program and security controls.

Compliance Assessment Process

Quilia maintains a comprehensive HIPAA compliance program that includes regular assessments of our technical and administrative controls against HIPAA requirements. Our compliance program is continuously monitored and updated to ensure ongoing adherence to regulatory standards.

Assessment Scope: Data protection, access control, audit logging, policies, vendor management, and incident response procedures.

Ongoing Compliance Monitoring

Quilia maintains ongoing compliance monitoring through regular security assessments, policy reviews, and continuous improvement of our security measures. Our compliance program is regularly updated to reflect changes in regulations and our evolving technology infrastructure.

3. Business Associate Agreements

Quilia is prepared to enter into Business Associate Agreements (BAAs) with law firms, medical providers, and other Covered Entities as required by HIPAA. Our standard BAA includes all required provisions and can be customized to meet specific client needs.

BAA Process:

1. Contact our compliance team to request a BAA
2. Review and execute the agreement
3. Maintain ongoing compliance monitoring
4. Regular compliance assessments and updates

4. Administrative Safeguards

We have implemented comprehensive administrative safeguards to ensure proper management of PHI and compliance with HIPAA requirements.

Security Officer

Quilia has designated a Security Officer responsible for developing and implementing security policies and procedures, conducting risk assessments, and ensuring ongoing compliance with HIPAA requirements.

Workforce Training

All employees undergo comprehensive HIPAA training upon hire and receive annual refresher training. Training covers:

• HIPAA Privacy and Security Rules
• PHI handling procedures
• Incident reporting requirements
• Sanction policies for violations

Access Management

We maintain strict access controls with role-based permissions, regular access reviews, and immediate deactivation of access upon termination.

5. Physical Safeguards

Physical safeguards protect PHI from unauthorized access, theft, and environmental hazards through controlled access and secure facilities. Quilia leverages enterprise-grade cloud infrastructure with comprehensive physical security controls.

Cloud Infrastructure Security

Quilia utilizes industry-leading cloud providers with SOC 2 Type II certifications and comprehensive physical security measures:

• Supabase (Database & Authentication) - SOC 2 Type II certified with enterprise-grade data center security
• Vercel (Web Portal, API Functions & Marketing) - SOC 2 compliant with global CDN and edge security
• Expo (Mobile App Platform) - Enterprise-grade mobile app infrastructure with security best practices

Data Center Security Features

• 24/7 physical security monitoring and surveillance
• Multi-factor physical access controls
• Environmental controls (fire suppression, climate control)
• Redundant power and network systems
• Geographic distribution for disaster recovery
• Regular security audits and compliance certifications

Workstation Security

• Secure workstation configurations with automatic updates
• Automatic screen locks and session timeouts
• Clean desk policies for physical workspace security
• Secure disposal of media containing PHI
• Mobile device security with expo-secure-store for sensitive data

6. Technical Safeguards

Our technical safeguards ensure the confidentiality, integrity, and availability of PHI through advanced security technologies and controls implemented across our multi-platform architecture.

Access Controls

• Enforced Multi-factor Authentication (MFA) - All users are required to use two-factor authentication
• Row-Level Security (RLS) - Database-level access controls ensure users can only access data they are authorized to view
• Role-based Access Controls (RBAC) - Granular permissions based on user roles (attorney, client, admin)
• Unique User Identification - Each user has a unique identifier with secure session management
• Automatic Session Timeouts - Sessions expire automatically to prevent unauthorized access
• Strong Password Requirements - Enforced through Supabase authentication system

Dual-Layer Encryption

Quilia implements multiple layers of encryption to protect PHI at every stage:

• Database-Level Encryption - Supabase provides AES-256 encryption for all data at rest
• Application-Level Encryption - Custom AES-256-GCM encryption for sensitive integration credentials and session data
• TLS 1.3 Encryption - All data in transit is encrypted using the latest TLS standards
• Encrypted Database Connections - All database connections use encrypted channels
• Secure Key Management - Encryption keys are managed securely with proper rotation procedures
• Mobile App Security - Sensitive data on mobile devices is stored using expo-secure-store with device-level encryption

Network Security

• Firewall protection
• Intrusion detection and prevention systems
• Regular security updates and patches
• Network segmentation
• DDoS protection

7. Data Protection Measures

We implement comprehensive data protection measures to ensure PHI is handled securely throughout its lifecycle.

Data Minimization

We collect and process only the minimum amount of PHI necessary to provide our services, following the principle of least privilege.

Real-Time Communication Security (CaseChat)

CaseChat is an optional real-time messaging feature that enables secure communication between attorneys and clients:

• Encrypted Real-Time Messaging - All messages are encrypted in transit using TLS 1.3 and stored encrypted at rest
• WebSocket Security - Secure WebSocket connections with authentication and authorization controls
• Message Translation - Automatic translation services maintain security while enabling multi-language support
• Read Receipt Tracking - Secure read receipt functionality with real-time synchronization across platforms
• Cross-Platform Sync - Messages sync securely across mobile app, web portal, and browser extension
• Optional Feature - CaseChat can be disabled per organization if not required

Third-Party Integration Security

Quilia integrates with various Case Management Systems (CMS) to facilitate data exchange while maintaining security:

• Encrypted Credential Storage - All CMS integration credentials are encrypted using AES-256-GCM before storage
• API-Only Integration - Quilia does not store PHI from external CMS systems; we only sync case metadata and facilitate communication
• Supported Systems - Integrations with Clio, Filevine, MyCase, Smokeball, Neos, SmartAdvocate, and CasePeer
• Secure Data Transmission - All data exchange with CMS systems uses encrypted API connections
• Session Management - Encrypted session storage for ongoing CMS connections with automatic refresh capabilities

Data Backup and Recovery

• Automated Daily Backups - Supabase provides automatic daily backups of all data
• Geographically Distributed Storage - Backups are stored in multiple geographic locations for redundancy
• Point-in-Time Recovery - Ability to restore data to specific points in time
• Regular Backup Testing - Backup integrity is regularly validated and tested
• Disaster Recovery Procedures - Comprehensive disaster recovery plans with defined recovery time objectives

Data Retention and Disposal

We maintain clear data retention policies and secure disposal procedures for PHI that is no longer needed, including secure deletion and media destruction.

8. Incident Response Procedures

We maintain comprehensive incident response procedures to quickly identify, contain, and remediate any security incidents involving PHI.

Incident Response Team

Our dedicated incident response team includes security, legal, and technical personnel who are trained to handle PHI security incidents.

Response Procedures

1. Immediate incident detection and assessment
2. Containment and mitigation measures
3. Investigation and root cause analysis
4. Notification to affected parties as required
5. Remediation and prevention measures
6. Documentation and reporting

Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, Covered Entities, and regulatory authorities in accordance with HIPAA requirements and applicable state laws.

9. Training and Compliance

Ongoing training and compliance monitoring ensure our team maintains the highest standards of HIPAA compliance.

Employee Training Program

• Comprehensive HIPAA training for all new employees
• Annual refresher training and updates
• Role-specific training for different job functions
• Regular security awareness training
• Training completion tracking and documentation

Compliance Monitoring

• Regular compliance assessments and audits
• Policy and procedure reviews and updates
• Risk assessments and mitigation planning
• Third-party security assessments

10. Audit and Monitoring

Continuous monitoring and regular audits ensure ongoing compliance and identify potential security issues.

Audit Controls

• Comprehensive audit logging of all PHI access
• Regular review of audit logs
• Automated monitoring and alerting
• Retention of audit logs per HIPAA requirements

Security Assessments

• Regular penetration testing
• Vulnerability assessments
• Third-party security audits
• Compliance gap analysis

11. Compliance Contact Information

For questions about our HIPAA compliance program, Business Associate Agreements, or to report a security incident, please contact our compliance team:

Compliance Officer

Record System, Inc.
817 S Main St
Las Vegas, NV 89101
United States

Phone: +1-866-706-7273

Security Incident Reporting

If you suspect a security incident involving PHI, please report it immediately to our compliance team using the contact information above or through our support form.

Important Notice

This document is provided for informational purposes and does not constitute legal advice. Covered Entities and Business Associates should consult with their legal counsel regarding specific HIPAA compliance requirements. Quilia reserves the right to update this documentation as needed to reflect changes in our compliance program or applicable regulations.

For the most current version of this document, please refer to our website or contact our compliance team directly.