HIPAA & the BAA

Glia is designed as a HIPAA-compliant platform. We sign a Business Associate Agreement (BAA) with every customer handling PHI, and it's not a paid add-on. Your BAA is executed before you go live, and it covers every location and user on your account.

Need to start a BAA? Email hello@glia.health and we'll send the paperwork.

Encryption of patient data

PHI fields (names, contact info, dates of birth, identifiers, clinical notes, messages, and more) are encrypted at the application layer before they're written to the database. We use AES-256-GCM, the same algorithm the US federal government uses to protect classified data.

Each organization has its own data-encryption key. That key is wrapped by a master key held outside the database, so a database backup on its own cannot decrypt any customer's PHI. Keys are rotated on incident.

Passwords are never stored in plaintext. They're hashed with bcrypt using a cost factor of 12.

Fields that need to be searchable (email, phone, SSN) use keyed blind-index tokens, so we can match on them without storing or transmitting the raw value.

Authentication & 2FA

Sign-in is password-based with short-lived access tokens and rotating refresh tokens held in HttpOnly cookies. Access tokens expire every 15 minutes; a stolen token has a narrow window of usefulness.

TOTP two-factor authentication (any authenticator app like 1Password, Authy, or Google Authenticator) is available to every user and can be required at the organization level. If you want every staff member to have 2FA on their account, flip the switch in organization settings and enforcement is immediate for new sign-ins.

Role-based access control

Every account has one or more roles (Provider, Admin, Billing, Support, or Patient), and every sensitive endpoint checks the caller's role before serving data. Key rules:

• Only Providers can write clinical data. Admins cannot edit a chart, even their own organization's charts.
• Staff can be location-scoped. If you run more than one location, you can limit a staff member to the patients at their assigned location, so a clinician at your Brooklyn office doesn't have to see charts from your Manhattan office unless you want them to.
• Patients see only their own record (or their minor dependents', if they've been added as a family account).

Audit logging

Every action that touches PHI is recorded in an append-only audit log: viewing a patient, reading a record, sending a message, changing a prescription, over forty distinct action types in total. Each entry captures who, what, when, from what IP, and on which device.

The audit log is preserved on soft-delete, so removing a record does not remove its history. Audit data is available to your organization on request.

Availability & reliability

Glia runs on a dedicated Linux stack with hardened Postgres storage. We target high availability and notify customers of scheduled maintenance in advance. If you need a specific uptime commitment for your practice, we can put that in writing. Contact us.

Sub-processors

We keep the list of third parties that touch customer data intentionally short. As of today:

• Stripe for patient-billing payment processing. You connect your own Stripe account, so patient payments go directly to you; Glia does not receive or hold them.
• Our infrastructure provider, the managed hosting that runs the database and application servers. We're happy to share details under NDA.

Video calling runs on infrastructure we operate ourselves, not a third-party video SaaS. We will notify customers in advance of any change to this list.

Responsible disclosure

If you believe you've found a security vulnerability in Glia, please email security@glia.health. We treat these reports seriously, respond quickly, and will not pursue action against researchers acting in good faith.