Healthcare organizations using AI SEO Agents for content creation and SEO optimization need assurance that their data is handled in compliance with HIPAA (Health Insurance Portability and Accountability Act) regulations. This page outlines our HIPAA compliance posture and the controls available on Enterprise plans.
Important: HIPAA compliance features are available exclusively on Enterprise plans. A Business Associate Agreement (BAA) must be executed before processing any Protected Health Information (PHI).
PHI and SEO Content
In most SEO use cases, AI SEO Agents does not process Protected Health Information. Content generation, publishing, and auditing typically involve marketing content — blog posts, service pages, and educational articles — that contain no patient data. However, healthcare organizations may have compliance requirements that extend to all vendor relationships, regardless of data type.
Technical Safeguards
| Control | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption on all data stores (DynamoDB, S3, Secrets Manager) using AWS KMS customer-managed keys |
| Encryption in transit | TLS 1.2+ enforced on all API endpoints, WebSocket connections, and internal AWS API calls |
| Access controls | IAM role-based access with least privilege. No shared credentials. MFA required for console access. |
| Audit logging | CloudTrail logs all AWS API calls. CloudWatch logs all application events with correlation IDs. |
| Data isolation | Per-user tenant isolation via user_id partitioning in DynamoDB. No cross-tenant data access. |
| Automatic logout | JWT tokens expire after 1 hour. Refresh tokens expire after 30 days. |
Administrative Safeguards
- Business Associate Agreement (BAA) — Available for Enterprise plan customers. Contact our team to initiate.
- Employee training — All team members with access to production systems complete annual HIPAA awareness training.
- Incident response — Documented incident response plan with 24-hour breach notification commitment.
- Risk assessments — Annual security risk assessments following NIST Cybersecurity Framework.
- Vendor management — AWS is a HIPAA-eligible service provider with a BAA in place. Amazon Bedrock is included in AWS's HIPAA scope.
Requesting a BAA
Contact Sales
Reach out via our contact page or email with the subject "HIPAA BAA Request".
Enterprise Plan Enrollment
HIPAA compliance requires an Enterprise plan. We'll work with you on pricing based on your usage requirements.
BAA Execution
Our legal team provides the BAA template. Most customers complete the process within 5 business days.
Environment Configuration
We configure your account with HIPAA-specific controls: dedicated KMS keys, enhanced logging, and restricted data retention.
BAA Agreements in Detail
A Business Associate Agreement (BAA) is a legally binding contract between a HIPAA covered entity (your healthcare organization) and a business associate (AI SEO Agents) that establishes the permitted uses and disclosures of Protected Health Information. The BAA defines both parties' responsibilities for safeguarding PHI and outlines the consequences of non-compliance.
- Scope of services: The BAA covers all data processing activities performed by AI SEO Agents on behalf of the covered entity, including content generation, storage in S3, publishing to WordPress, and audit analysis. The BAA explicitly defines which services are in scope and which are excluded.
- Permitted uses: PHI may only be used for the purposes specified in the BAA, which align with the healthcare organization's content strategy and SEO operations. Any use beyond the agreed scope requires written authorization.
- Subcontractor obligations: AI SEO Agents requires equivalent protections from all subcontractors who may access PHI. AWS operates as a subcontractor under their own HIPAA BAA, covering all AWS services used by the platform.
- Breach notification: The BAA includes a commitment to notify the covered entity within 24 hours of discovering a confirmed security breach affecting PHI, exceeding the HIPAA requirement of 60 days.
- Termination provisions: Upon termination of the BAA, AI SEO Agents will return or destroy all PHI within 30 days, with certification of destruction provided to the covered entity.
PHI Handling Procedures
While most SEO content does not contain PHI, healthcare organizations may use the platform for content that references specific medical conditions, treatments, or patient demographics. The following procedures ensure that any data that could be considered PHI is handled with appropriate safeguards.
- 1Data classification: All content processed through the platform is treated as potentially containing PHI when a BAA is in effect. This means all HIPAA-specific controls are applied regardless of whether individual pieces of content actually contain patient data.
- 2Minimum necessary principle: AI agents access only the data required to perform their assigned task. The Content Agent sees the keyword and article content; it does not access user account details, billing information, or other unrelated data.
- 3De-identification: If your content strategy involves referencing patient data (e.g., case studies, testimonials), ensure all PHI is de-identified before providing it to the platform. The platform does not perform de-identification as part of the content pipeline.
- 4Content review: For HIPAA-covered accounts, we recommend keeping auto-publish disabled (
status_on_publish: "draft") so that a human reviewer can verify that published content does not inadvertently disclose PHI before it goes live.
HIPAA Access Controls
HIPAA-enabled accounts receive enhanced access controls beyond the standard platform security features. These controls are designed to meet the HIPAA Security Rule requirements for access management, authentication, and authorization.
| Control | Standard Account | HIPAA-Enabled Account |
|---|---|---|
| Multi-factor authentication | Optional | Required for all users |
| Session timeout | 1 hour JWT, 24 hour refresh | 30 minute JWT, 8 hour refresh |
| IP restrictions | Not available | Configurable IP allowlist |
| Concurrent sessions | Up to 5 devices | Single session enforcement available |
| Password policy | Cognito defaults (8+ chars) | Enhanced: 12+ chars, uppercase, number, symbol, 90-day rotation |
| API key restrictions | Standard rate limits | Additional IP-based restrictions available |
Audit Trail Requirements
HIPAA requires that covered entities and their business associates maintain audit trails that track access to PHI. AI SEO Agents provides comprehensive audit logging that exceeds HIPAA minimum requirements for HIPAA-enabled accounts.
- Extended log retention: HIPAA-enabled accounts have CloudWatch log retention extended to 6 years (the HIPAA-recommended retention period), compared to 30-90 days for standard accounts.
- Immutable audit logs: Audit logs are written to a separate S3 bucket with object lock enabled (WORM — Write Once Read Many), preventing any modification or deletion of log records.
- Access reporting: Monthly access reports can be generated showing all users who accessed the platform, which resources they accessed, and from which IP addresses. These reports support HIPAA audit requirements.
- Log forwarding: HIPAA accounts can forward audit logs to your own SIEM system for centralized security monitoring and long-term retention alongside your other healthcare application logs.
Encryption Requirements for HIPAA
HIPAA-enabled accounts use enhanced encryption controls that provide an additional layer of protection beyond the standard platform encryption described in the Security Overview.
- Dedicated KMS keys: HIPAA accounts receive dedicated AWS KMS customer-managed keys (CMK) that are not shared with other accounts. These keys are used to encrypt all DynamoDB data, S3 objects, and Secrets Manager values.
- Key access logging: Every use of the KMS encryption key is logged via CloudTrail, creating an auditable record of every encryption and decryption operation performed on your data.
- Encryption algorithm: AES-256-GCM is used for all symmetric encryption operations, meeting the NIST recommendation for protecting sensitive data.
- Key rotation: KMS CMKs are configured for automatic annual rotation. Previous key versions are retained to decrypt data encrypted with older key material.
Breach Notification Procedures
In the event of a security breach affecting PHI, AI SEO Agents follows a documented breach notification procedure that meets or exceeds HIPAA requirements. The notification timeline and communication process are defined in the BAA.
Breach detection
Automated monitoring detects anomalous access patterns, unauthorized data access, or data exfiltration indicators. The security team is alerted within 5 minutes of detection.
Initial assessment (within 24 hours)
The security team determines whether PHI was involved, the scope of the breach, and the number of individuals potentially affected. The covered entity is notified within 24 hours of confirming a breach.
Detailed investigation (within 30 days)
A thorough investigation identifies the root cause, all affected data, and remediation steps. A detailed report is provided to the covered entity.
Remediation
Technical fixes are implemented to prevent recurrence. Affected credentials are rotated. All remediation actions are documented.
Regulatory notification support
We support the covered entity in preparing notifications required by the HIPAA Breach Notification Rule, including notifications to affected individuals, HHS, and media (for breaches affecting 500+ individuals).
Related Documentation
- Security Overview — Full infrastructure security architecture.
- Data Privacy — Data retention and deletion policies.
- SSO Configuration — Enterprise authentication setup.