Global Healthcare Compliance

Rather than treating compliance as a checkbox exercise, we designed Elizio to meet the strictest requirements across all jurisdictions simultaneously. When regulations overlap, we default to the highest standard. This means every user benefits from the strongest protections regardless of where they are located.

• Unified compliance framework that satisfies HIPAA, PIPEDA, Loi 25, GDPR, and HDS simultaneously
• Regional data residency ensuring data stays within jurisdictional boundaries
• Regular independent audits and risk assessments conducted by accredited third parties
• Dedicated compliance team monitoring regulatory changes and updating policies proactively

The Health Insurance Portability and Accountability Act establishes national standards for protecting sensitive patient health information in the United States. Elizio operates as a Business Associate and implements all required administrative, physical, and technical safeguards.

• Full compliance with the Privacy Rule governing use and disclosure of protected health information (PHI)
• Implementation of all Security Rule requirements for electronic PHI including encryption, access controls, and audit logging
• Adherence to the Breach Notification Rule with documented incident response procedures and 60-day notification timelines
• Business Associate Agreements executed with all covered entities and subcontractors handling PHI

The Personal Information Protection and Electronic Documents Act governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. Elizio complies with all ten fair information principles.

• Accountability: a designated privacy officer is responsible for compliance and handles all privacy inquiries
• Identifying purposes: the purposes for collecting personal information are identified before or at the time of collection
• Consent: meaningful consent is obtained before collecting, using, or disclosing personal health information
• Limiting collection: only the minimum information necessary for identified purposes is collected
• Limiting use, disclosure, and retention: personal information is used only for the purposes for which it was collected, and retained only as long as necessary
• Accuracy: personal information is kept as accurate, complete, and up-to-date as necessary for its intended purposes
• Safeguards: personal information is protected by security measures appropriate to the sensitivity of the data
• Openness: our privacy policies and practices are readily available and written in plain language
• Individual access: patients and practitioners can request access to their personal information and challenge its accuracy
• Challenging compliance: individuals can challenge our compliance by contacting our privacy officer, with complaints investigated and addressed promptly

Quebec's Law 25 (Act to modernize legislative provisions as regards the protection of personal information) introduced strengthened privacy obligations that go beyond federal PIPEDA requirements. Elizio fully complies with all provisions that came into force through 2023 and 2024.

• Privacy impact assessments conducted for all systems involving personal information of Quebec residents
• Designated person responsible for the protection of personal information with published contact details
• Privacy by default: only the minimum necessary personal information is collected, with the strictest privacy settings applied automatically
• Mandatory breach notification to the Commission d'accès à l'information (CAI) and affected individuals for confidentiality incidents presenting serious risk

The General Data Protection Regulation is the world's strongest data privacy framework. Elizio implements all GDPR requirements for any processing of personal data belonging to EU residents, regardless of where the processing takes place.

• Lawful basis established for all processing activities, with explicit consent for health data under Article 9
• Data Protection Impact Assessments for high-risk processing of health information
• Full data subject rights: access, rectification, erasure, portability, restriction, and objection
• Data Processing Agreements with all sub-processors, with EU data stored exclusively in EU data centers

Hébergeurs de Données de Santé certification is required for any organization hosting personal health data for French residents. Elizio's infrastructure meets HDS requirements through certified hosting partners and rigorous security controls.

• Health data of French residents hosted on HDS-certified infrastructure within France
• ISO 27001-aligned information security management system as required by HDS
• Strict physical and logical separation of health data from other tenant data
• Regular security audits and certification renewals maintaining continuous HDS compliance

We implement a defense-in-depth strategy with multiple layers of security controls spanning administrative, physical, and technical domains. Each layer is designed to function independently so that a failure in one layer does not compromise the others.

• Administrative: workforce training, access management policies, sanction procedures, and contingency planning
• Physical: SOC 2 certified data centers with restricted access, redundant power, and fire suppression
• Technical: AES-256 encryption, access controls, audit logging, integrity verification, and TLS 1.3 transmission security
• Operational: change management, vulnerability scanning, penetration testing, and 24/7 security monitoring

We implement the principle of minimum necessary access through a multi-layered authorization system. Users can only access the specific data required for their role and authorized purpose — a requirement common to every regulation we comply with.

• Role-based access control with granular permissions managed through AWS Verified Permissions and Cedar policies
• Multi-factor authentication required for all practitioner and administrative accounts
• Patient consent-based sharing controls determining which practitioners can view specific records
• Automatic session timeouts, row-level database security, and comprehensive access logging

Comprehensive audit logging tracks every access, modification, and system event involving personal and health information. Logs are immutable and retained in compliance with the most stringent jurisdictional requirements.

• Every access event is logged with timestamp, user identity, action performed, and data accessed
• Real-time anomaly detection alerts for unusual access patterns or potential security incidents
• Immutable audit logs stored in append-only storage with cryptographic integrity verification
• Automated compliance reports for practice administrators, auditors, and regulatory bodies

In the unlikely event of a data breach, we follow documented incident response procedures that satisfy the notification requirements of all applicable jurisdictions simultaneously.

• HIPAA: affected individuals notified within 60 days; HHS notified for breaches affecting 500+ individuals
• PIPEDA: PIPEDA breach of security safeguards reported to the Privacy Commissioner and affected individuals
• Loi 25: confidentiality incidents presenting serious risk reported to the CAI and affected individuals
• GDPR: supervisory authority notified within 72 hours; affected individuals notified without undue delay when risk is high

We execute appropriate legal agreements with all entities whose data we process, tailored to the regulatory requirements of each jurisdiction.

• HIPAA Business Associate Agreements for all US covered entities and their subcontractors
• GDPR Data Processing Agreements with Standard Contractual Clauses where applicable
• All sub-processors and cloud infrastructure providers operate under executed agreements
• Agreements include provisions for breach notification, data return, deletion, and termination procedures

All Elizio team members receive comprehensive privacy and security training upon hire and annually thereafter, covering the regulatory requirements of every jurisdiction we serve.

• Mandatory privacy and security training covering HIPAA, PIPEDA, Loi 25, GDPR, and HDS requirements
• Role-specific training for engineering, support, and operations teams who may access personal data
• Regular phishing simulations and social engineering awareness exercises
• Documented training records and competency assessments maintained for compliance audits