HIPAA Compliant

HIPAA Compliance

CaseHug is designed from the ground up to meet HIPAA requirements for law firms that handle protected health information (PHI) during client intake.

Business Associate Agreement (BAA)

Law firms that qualify as covered entities or business associates under HIPAA can request a signed Business Associate Agreement (BAA) with CalmIntake, Inc. BAAs are available on the Firm plan and above.

To request a BAA, contact hipaa@calmintake.com. We typically respond within one business day.

Technical Safeguards

🔐

Encryption at Rest

All documents and PHI encrypted using AES-256

🔒

Encryption in Transit

TLS 1.2+ for all data transmission

📋

Audit Controls

Complete access logs with IP, timestamp, and user identity

🔑

Access Controls

Role-based access with principle of least privilege

⏱️

Automatic Logoff

Sessions expire after configurable inactivity period

🗑️

Data Deletion

Automatic PHI deletion per your retention policy

Administrative Safeguards

Regular internal HIPAA training for all CalmIntake employees with system access
Documented incident response procedures with breach notification timelines
Workforce access limited to minimum necessary for job function
Annual security risk assessments

Physical Safeguards

All data is stored on AWS infrastructure (us-east-1), which maintains its own comprehensive physical security controls, SOC 2 Type II certification, and ISO 27001 compliance. No PHI is stored on portable or removable media outside of AWS.

Client Portal Security

The client-facing intake portal is designed to minimize PHI exposure:

Unique, single-use token-based URLs (no shared passwords)
Links expire automatically after completion or a configured time limit
No cookies or tracking on client-facing portals
Documents are uploaded directly to encrypted storage — never cached on client devices

Need a BAA or have compliance questions?

Our compliance team responds within one business day.

Contact Compliance Team