HIPAA readiness
HIPAA readiness package for covered-entity and business-associate review. PHI requires a signed BAA.
Do not send PHI/ePHI until a BAA is executed, route restrictions are approved, content export is disabled or separately approved, and PHI subprocessors are accepted in writing.
This page is readiness documentation for covered-entity and business-associate review. It is not an executed BAA and it is not an HHS determination.
What is ready and what is still blocked.
TrustedRouter can prepare the contractual and operational path for PHI, but production PHI requires explicit customer-specific approval.
| Operating entity | Lore Hex Corp, Delaware C Corporation. |
|---|---|
| Status | readiness_package_available_requires_executed_baa |
| BAA | draft_available_requires_signature |
| Authorized signatory | Joseph Perla, CEO. |
| PHI production approved | False |
| HIPAA certification | not_obtained |
| Default PHI route policy | PHI can use only customer-approved routes. The default candidate is trustedrouter/zdr; trustedrouter/e2e or named provider allowlists may be approved per customer. Unrestricted trustedrouter/auto is not approved for PHI. |
Readiness control map.
| Category | Controls |
|---|---|
| Administrative | Risk analysis and risk management process; Assigned security and privacy responsibility; Workforce access and training controls; Incident and breach response process; BAA and subprocessor approval process |
| Physical | Cloud data center physical controls inherited from cloud providers; Device and media controls for operator workstations; No production prompt content stored on operator devices |
| Technical | Attested gateway boundary; Encrypted transport; Encrypted metadata and BYOK storage; API key hashing and scoped access; Metadata-only logging by default; Route allowlists for PHI workloads |
HIPAA documents prepared for review.
| Document | Status | Repo path |
|---|---|---|
| HIPAA readiness overview | prepared_for_customer_review | docs/compliance/hipaa/README.md |
| HIPAA readiness matrix | prepared_for_safeguard_mapping | docs/compliance/hipaa/hipaa-readiness-matrix.md |
| PHI handling policy | prepared_for_approval_and_operation | docs/compliance/hipaa/policies/phi-handling.md |
| BAA operations policy | prepared_for_contract_operations | docs/compliance/hipaa/policies/baa-operations.md |
| HIPAA incident and breach response policy | prepared_for_approval_and_operation | docs/compliance/hipaa/policies/hipaa-incident-breach-response.md |
| HIPAA risk analysis template | prepared_for_customer_specific_review | docs/compliance/hipaa/templates/hipaa-risk-analysis.md |
| PHI route approval template | prepared_for_customer_specific_review | docs/compliance/hipaa/templates/phi-route-approval.md |
| BAA execution checklist | prepared_for_customer_specific_review | docs/compliance/hipaa/templates/baa-execution-checklist.md |
Customer-specific checklist.
Executed BAA
BAA signed by Joseph Perla, CEO, as Lore Hex Corp officer
Customer role and covered-service scope confirmed
PHI route policy approved
Approved downstream model-provider subprocessor list
Content export disabled unless separately approved
Customer counsel signoff
Treat this as HIPAA readiness documentation only. Do not send PHI until the BAA is signed and the PHI route approval is complete.
References: HHS HIPAA Security Rule, HHS sample business associate agreement provisions.