Skip to content
Pollenix Docs

HIPAA · BAA · ONC · EPCS

Compliance posture

Pollen8 MR is designed for the audit + integrity requirements of HIPAA, the 21st Century Cures Rule, ONC §170.315 2015 Edition Cures Update, and DEA EPCS for controlled-substance prescribing.

HIPAA + BAA

  • BAA available. Pollen8 executes a Business Associate Agreement with every customer running pollenix.health in production.
  • Files stay in the customer’s cloud. Pollen8 is deployable (AWS Fargate, Azure App Service, Cloudflare Workers) — not SaaS. No PHI ever leaves the customer’s infrastructure perimeter.
  • Separate KMS key + separate audit table from non-Health Pollen8 surfaces, so a Health-only deployment doesn’t share cryptographic material with the rest of the stack.

Audit architecture

Every PHI read + write generates a Why trace stamped with purpose_code (TREAT / BILLING / PAYMENT — HL7 v3 PurposeOfUse), subject_id (FHIR Patient id), user_id, and a chained parent_trace_id for multi-step transactions (e.g., encounter → scribe → SOAP → code suggester → 837 build is one chain).

The trace store is queryable for any HIPAA accounting-of- disclosures request.

ONC §170.315 (Cures Rule)

Pollen8 surfaces map to all §170.315 2015 Edition Cures Update criteria. Highlights:

  • §170.315(g)(7) — application access — covered by the FHIR R4 API.
  • §170.315(g)(9) — application access via Bulk Export — covered by the $export surface.
  • §170.315(b)(10) — EHI export — covered by the patient-portal records-download flow.
  • §170.315(d)(2) — auditable events — covered by the Why trace
    • audit table.

Formal ONC certification is in flight with an ACB and takes 6+ months end-to-end.

EPCS (DEA controlled substances)

Schedule II–V prescribing is gated off by default. EPCS unlock requires:

  • DEA registration on file for each prescriber who’ll use EPCS.
  • Identity proofing at NIST IAL2.
  • Two-factor authentication enrollment for each prescriber.
  • Surescripts EPCS module activation (separate from regular NewRx).

Once unlocked, controlled prescriptions flow through Surescripts with the EPCS signature block attached. Each EPCS event stamps a trace with extra audit metadata (the second factor used, the biometric/PIN method, the prescriber’s session id).

Pollen8 doesn’t take the customer through DEA registration or 2FA enrollment — those are the customer’s responsibilities. We provide the technical surface that’s compliant once those are done.

Cyber + crypto

  • Per-call AuthContext capability tokens — ≤30s TTL, single- use, audit-logged. Nothing has standing chart access.
  • secret_box (Fernet) envelope encryption for every credential blob (AI providers, clearinghouse, Surescripts, DMS).
  • KMS root key rotates on tenant-config change.
  • Postgres row-level isolation by tenant_id on every clinical table.

State law variances

Pollen8 doesn’t try to solve all 50 states’ privacy laws — that varies too much (CMIA, Texas HB300, NY SHIELD, Washington My Health My Data, etc.). The platform gives you the substrate (per-call AuthContext, granular audit, Why trace); the privacy team layers the state-specific policies on top via Roles and PII policy.