CT Agency Suite compliance

HIPAA-aligned agency software, built in — not bolted on.

Encryption in transit and at rest. Role-based access control with multi-factor authentication. Multi-tenant data isolation at the database layer. Full audit trail on every sensitive action. Document retention with attribution. The HIPAA-aligned controls are part of the platform, not a separate layer agencies have to bolt on.

Apply for early access Compliance details
Encrypted
In transit + at rest
MFA
Required by default
Audit trail
Every PHI action logged
What HIPAA requires of software
The technical safeguards in the Security Rule

HIPAA's Security Rule mandates specific technical safeguards for systems handling PHI. Each is built into the suite.

  • Access control with unique user identification
  • Audit controls recording PHI access
  • Integrity controls for PHI data
  • Transmission security (encryption)
  • Authentication of users and entities
Encryption
TLS 1.2+ in transit; AES at rest
MFA
Required for sensitive roles
Audit trail
Every PHI access logged
BAA available
For early-access partners
Why this matters

HIPAA compliance isn't a feature you turn on — it's a property of how the platform is built.

Many vendors marketing 'HIPAA compliance' deliver it as a checklist on a sales sheet: encryption, audit logs, access controls. The reality of HIPAA in production is harder. The Security Rule's technical safeguards are interlocking requirements about how data flows through a system, who can see what, what happens when something changes, and how violations would be detected. Bolting compliance onto a system that wasn't designed for it leaves gaps that surface in an audit or a breach.

CT Agency Suite was built with HIPAA's technical safeguards as foundational requirements, not as feature additions. Encryption is end-to-end — TLS 1.2+ in transit, AES at rest, secrets in hardware-backed key management. Access control is role-based with multi-factor authentication required by default for sensitive roles. Multi-tenant data isolation happens at the database layer — agencies' data is partitioned at storage, not just at query-time filtering. Audit trail captures every access to PHI with attribution, timestamp, and the specific record touched.

Document retention rules apply automatically to uploads based on category. Deletions are logged and require attribution — nothing disappears silently. Sessions time out per HIPAA-aligned defaults. Password policies enforce complexity and rotation. The technical safeguards aren't an external compliance program checking the platform — they're the platform itself.

What HIPAA-aligned by design means
  • Encryption — TLS in transit, AES at rest, hardware-backed key management
  • Access control — role-based with MFA required by default
  • Audit trail — every PHI access logged with attribution
  • Multi-tenant isolation — database-layer partitioning per agency
  • Retention & deletion — rules applied automatically, deletions audited
HIPAA-aligned controls in the suite

What the platform's compliance posture actually delivers.

Encryption in transit and at rest

All data transmission uses TLS 1.2 or higher. Data at rest is encrypted with AES. Encryption keys live in hardware-backed key management. PHI never traverses or rests in plaintext.

Role-based access control with MFA

Roles configured per agency: SC, supervisor, QA, billing, clinical lead, admin. Each role's view of PHI scoped to what they need. Multi-factor authentication required by default for sensitive roles. Lost devices don't compromise access — MFA blocks unauthorized re-authentication.

Multi-tenant data isolation

Per-agency data isolation at the database layer, not just at query-time filtering. There is no path for one agency's data to bleed into another. Tenant isolation is verifiable, not just configured.

Audit trail on every PHI action

Every access, view, edit, upload, delete is logged with user attribution, timestamp, and the specific record touched. The audit trail is itself protected from modification — tampering would be detectable. Auditor and breach investigation reviews have complete data.

Document retention with attribution

Document retention rules apply automatically based on category — signed plans retained per state requirements, training records per training-hour rules, identity records per HIPAA defaults. Deletions require attribution and create audit entries. Nothing disappears silently.

Session and authentication policy

Sessions time out per HIPAA-aligned defaults (configurable per agency for tighter requirements). Password policies enforce complexity and rotation. Failed authentication attempts are rate-limited. Account lockouts trigger after suspicious patterns.

What it looks like in practice

A few ways teams use this.

Compliance officer onboarding the platform

Compliance officer reviewing the suite for HIPAA alignment requests the platform's technical safeguards documentation. They receive a clear breakdown of encryption, access control, audit logging, multi-tenant isolation, and incident response — mapped to the Security Rule's specific requirements. The review takes hours, not weeks of vendor back-and-forth.

Audit response after a privacy concern

An employee report flags potential inappropriate access to a consumer record. Compliance pulls the audit trail for that record — every access in the past 90 days with user attribution and timestamps. The investigation has data, not memory. Resolution is fast and defensible.

Breach assessment exercise

Quarterly breach assessment exercise: simulate a breach scenario and trace the technical controls that would detect it. Audit trail shows access patterns. Multi-tenant isolation demonstrates data couldn't have leaked across agencies. Encryption rules out at-rest plaintext exposure. The exercise produces evidence for compliance reporting.

Frequently asked

Common HIPAA compliance questions.

Does CozziTech sign Business Associate Agreements (BAAs)?
Yes. Business Associate Agreements are available for healthcare-serving agencies. Early-access partners get a BAA as part of onboarding. The BAA covers the specific HIPAA-aligned controls the platform provides and the parties' respective responsibilities under the Security Rule.

Has the platform been audited against SOC 2 or HITRUST?
SOC 2 Type II is on the roadmap. HITRUST is being evaluated based on customer demand. The platform's technical posture is designed to meet these frameworks; formal certification follows once the framework value justifies the audit cost. Customers requiring specific certifications should discuss requirements as part of early-access onboarding.

How does multi-tenant data isolation actually work?
Per-agency data partitioning happens at the database layer, not just at the application's query-filtering layer. Each agency's data is logically (and where applicable, physically) isolated such that there is no query path that could surface another agency's records, regardless of application bugs. Isolation is verifiable through the platform's architecture, not just trusted from configuration.

What's CozziTech's incident response process?
Standard incident response playbook with notification timelines aligned to HIPAA breach notification rules. Customers are notified within HIPAA-required windows of any incident affecting their data. Post-incident reports document scope, root cause, and remediation. Detailed incident response procedures are available to early-access partners as part of onboarding.

Can we configure stricter authentication requirements than the defaults?
Yes. Defaults align with HIPAA Security Rule expectations. Agencies with stricter internal requirements (shorter session timeouts, mandatory MFA for all roles, IP allowlisting, etc.) can configure those at the agency level. Configuration is per-tenant; one agency's stricter posture doesn't affect another's.

How does HIPAA compliance interact with state-specific privacy laws?
The platform's HIPAA-aligned posture covers federal Security Rule requirements. State-specific privacy laws (CCPA, NY SHIELD, state-specific HCBS rules, etc.) are addressed via per-tenant configuration. Early-access onboarding includes a review of your specific state-law landscape and platform configuration to address it.
Related

More on CT Agency Suite

CT Agency Suite

State survey readiness software

How the suite produces audit-ready evidence for state auditors.

Read more
CT Agency Suite

Case management software for human services

Case management built around HIPAA-aligned controls.

Read more
CT Agency Suite

CT Agency Suite overview

Every module and the platform's compliance posture.

Read more

HIPAA-aligned by design, not by sales sheet.

Apply for the CT Agency Suite early-access program. We'll review your specific compliance requirements and the platform's posture against them.

Apply for early access Back to CT Agency Suite