HIPAA Compliance

The ITWC IRB System is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA). We implement comprehensive administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Role-based access controls with least-privilege principles
• Multi-factor authentication for all users
• Automated session management and timeout controls
• Comprehensive audit logging of all PHI access
• Digital signatures compliant with FDA 21 CFR Part 11

• Designated HIPAA Privacy and Security Officers
• Regular workforce training on HIPAA requirements
• Business Associate Agreements (BAAs) with all subcontractors
• Documented policies and procedures for PHI handling
• Regular risk assessments and vulnerability management
• Incident response and breach notification procedures

• SOC 2 Type II certified cloud infrastructure (Azure)
• Geographically redundant data storage
• Automated backup and disaster recovery
• Physical access controls at all data center facilities

In the event of a breach involving PHI, we will notify affected individuals and the Department of Health and Human Services (HHS) in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).