Health Insurance Portability and Accountability Act of 1996
Shteg.ai is fully compliant with all three HIPAA Rules. This document provides a comprehensive overview of our administrative, physical, and technical safeguards, our Privacy Rule implementation, and our Breach Notification procedures.
The HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) establishes national standards for the protection of individually identifiable health information (PHI). Shteg.ai implements the following safeguards:
Every patient receives a clear, plain-language NPP upon registration explaining how their PHI may be used, disclosed, and their rights under HIPAA. Electronic NPP is available via the Patient Portal with digital acknowledgment tracking.
All system access is scoped to the minimum data necessary to perform a given function. Clinical staff see only their patients. Billing personnel see only financial fields. Administrators have tiered access per their role assignment.
Patients may request access to their records, amendments, restriction of uses, accounting of disclosures, and confidential communications through the portal or in writing. Responses are processed within 30 days per §164.524.
Research and analytics data is de-identified using both the Expert Determination method (§164.514(b)(1)) and the Safe Harbor method (removal of all 18 HIPAA identifiers). The Auditor Portal uses a PII-masked data layer.
Shteg.ai tracks granular patient authorizations for specific use/disclosure beyond treatment, payment, and healthcare operations. Revocations are processed immediately with retroactive data access termination.
Administrative safeguards (§164.308) are the policies and procedures designed to clearly show how the entity will comply with HIPAA.
Physical safeguards (§164.310) are the physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Technical safeguards (§164.312) are the technology and the policy and procedures for its use that protect ePHI and control access to it.
In accordance with the Breach Notification Rule (§164.400–414) and the HITECH Act, Shteg.ai maintains a documented incident response plan with the following procedure:
Automated threat detection triggers incident response. Security team isolates affected systems, preserves forensic evidence, and activates the Incident Commander.
Four-factor risk assessment per §164.402: (1) nature/extent of PHI, (2) unauthorized person, (3) whether PHI was acquired/viewed, (4) extent risk is mitigated.
Draft notifications for affected individuals, HHS, and media (if ≥500 records). Legal review of notification content and methods.
Written notification by first-class mail (or email if authorized) to each affected individual describing what happened, type of PHI, recommended protective steps, and remediation actions.
Electronic submission to HHS Secretary via breach portal. Breaches affecting <500 individuals reported by year-end via annual log.
Prominent media outlets in affected state/jurisdiction notified for breaches affecting ≥500 residents of that state.
Root-cause analysis, policy/procedure updates, additional training, and improvements to prevent recurrence. Board-level briefing for material incidents.
Shteg.ai designates a HIPAA Security Officer and Privacy Officer responsible for the development, implementation, and maintenance of all policies and procedures required by the HIPAA Security Rule and Privacy Rule.
Security Inquiries
security@shteg.aiPrivacy Inquiries
privacy@shteg.aiBAA Requests
legal@shteg.aiBreach Reporting
incident@shteg.ai