HOW TO BE HIPAA COMPLIANT FOR A HEALTH & MEDICAL PRACTICE

🔒 HOW TO BE HIPAA COMPLIANT FOR A HEALTH & MEDICAL PRACTICE The Complete Infrastructure, Configuration & Operations Guide DEEPdormir.ai Internal Compliance Document Prepared by: Proscris Agency (Fractional CTO) Classification: Internal — Confidential Applies To: All technology infrastructure, vendors, staff, and contractors How To Use This Document: This is the single source of truth for […]

🔒 HOW TO BE HIPAA COMPLIANT FOR A HEALTH & MEDICAL PRACTICE

The Complete Infrastructure, Configuration & Operations Guide

DEEPdormir.ai Internal Compliance Document

Prepared by: Proscris Agency (Fractional CTO)

Classification: Internal — Confidential

Applies To: All technology infrastructure, vendors, staff, and contractors

How To Use This Document:

This is the single source of truth for DEEPdormir's HIPAA compliance infrastructure. It covers every layer of the technology stack — from the server the website runs on to the email a patient receives after submitting a form. It is written for the people building and operating the system. It is not a legal document — it is an operational blueprint. Read it fully once. Then use it as a build checklist.

CHAPTER 1: HIPAA FUNDAMENTALS — WHAT EVERY TECHNICAL OPERATOR MUST KNOW

1.2 — Who DEEPdormir Is Under HIPAA

DEEPdormir.ai is a dental and sleep medicine practice. It is a Covered Entity. This classification is not optional. A solo practitioner treating one patient per day has the same legal obligations as a hospital system.

1.3 — What Proscris Agency Is Under HIPAA

By providing technology infrastructure, digital marketing, and automation, Proscris Agency is a Business Associate (BA). We are not a bystander. We are a named party in the regulatory framework with direct legal liability.

1.4 — What PHI Is (The 18 Identifiers)

Protected Health Information (PHI) is created when any of the following are combined with health information:

#	Identifier	Example in Context
1	Names	Patient names
2	Geographic data	Address, City, Zip
3	Dates (not year)	Appointment/Birth dates
4	Phone numbers	Mobile/Home
5	Fax numbers	Referral faxes
6	Email addresses	Patient email
7	SSN	Insurance forms
8	Medical record #	Internal Patient IDs
9	Health plan #	Insurance IDs
10	Account #	Billing accounts
11	License #	Provider NPI
12	Vehicle IDs	(Rarely relevant)
13	Device IDs	CPAP serial numbers
14	Web URLs	Patient record links
15	IP addresses	Visitor IP on health pages
16	Biometric IDs	Fingerprints
17	Full-face photos	Before/After photos
18	Unique numbers	Any other ID

The Critical Vector: Identifier #15 (IP Addresses). A visitor's IP address combined with their presence on a URL like /sleep-apnea-treatment constitutes ePHI. This makes standard pixels and analytics a liability if not configured correctly.

CHAPTER 2: THE BUSINESS ASSOCIATE AGREEMENT (BAA)

A BAA must be signed before any system configuration begins. Here is the master execution list:

Vendor	Service	How To Execute
Proscris Agency	CTO Services	Sign standard Proscris BAA template.
Google Workspace	Email/Drive/Docs	Admin Console → Account Settings → Legal → HIPAA Amendment.
Google Cloud (GCP)	Hosting/Database	GCP Console → IAM & Admin → Settings → Compliance → HIPAA Amendment.
Cloudflare	DNS/WAF	Contact Enterprise Sales/Support for BAA.
Paubox	Encrypted Email	Executed during account creation.

CHAPTER 3: THE INFRASTRUCTURE — GOOGLE CLOUD PLATFORM

We use GCP because one BAA covers the entire stack: Hosting, Database, Automation, and Storage. The client owns everything.

3.2 — GCP Project Architecture

GCP PROJECT: deepdormir-production
│
├── COMPUTE ENGINE
│   ├── VM: deepdormir-wordpress (Nginx + PHP 8.2 + WordPress)
│   └── VM: deepdormir-n8n (Docker + n8n + PostgreSQL)
│
├── CLOUD SQL
│   └── Instance: deepdormir-mysql (Encrypted at rest, Private IP)
│
├── CLOUD STORAGE
│   └── Bucket: deepdormir-wp-media (Private, backups)
│
├── CLOUD LOGGING
│   └── Audit Log Sink → Storage Bucket (6-year retention)
│
└── SECRET MANAGER
    └── Stores: Database passwords, API keys, Encryption keys

3.3 — WordPress VM Configuration (Nginx Security)


# /etc/nginx/sites-available/deepdormir.ai

server {
    listen 443 ssl http2;
    server_name deepdormir.ai www.deepdormir.ai;
    
    # Strong TLS — TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    
    # Security headers (HIPAA Requirement)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Block access to sensitive files
    location ~ /\.(ht|git|env) { deny all; }
    location ~ /wp-config\.php { deny all; }
    location ~ /xmlrpc\.php { deny all; }
}

3.4 — n8n Docker Configuration (HIPAA Hardening)


# docker-compose.yml excerpt
n8n:
  environment:
    # Security — CRITICAL
    N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY} # Encrypts credentials at rest
    
    # Audit Logging
    N8N_LOG_LEVEL: info
    N8N_LOG_OUTPUT: file
    EXECUTIONS_DATA_SAVE_ON_SUCCESS: all
    EXECUTIONS_DATA_SAVE_ON_ERROR: all
    EXECUTIONS_DATA_MAX_AGE: 2160 # 90 days hot

CHAPTER 5: WORDPRESS — COMPLETE HIPAA CONFIGURATION

5.1 — Approved Plugin Stack

✅ ASE Pro: Admin control and role management.
✅ Wordfence Security: WAF and login security.
✅ WP 2FA: Mandatory Two-Factor Authentication.
✅ WP Activity Log: Audit trail of all admin actions.
✅ UpdraftPlus: Encrypted remote backups to Google Drive.

Banned Plugins (Risk Vectors)

❌ GA4/Google Analytics Plugins (Use GTM + Consent Mode only)
❌ Meta Pixel Plugins (Browser-side pixels are non-compliant)
❌ Contact Form 7 / Gravity Forms (if storing entries in DB)
❌ Jetpack / Akismet (Data processing without BAA)

CHAPTER 6: THE FORMS — CUSTOM HTML INTAKE ARCHITECTURE

The Principle: The website never stores, processes, or holds form data. Data flows `Browser -> HTTPS -> n8n (BAA) -> Sheets (BAA)`.

6.2 — Production Form Code


// CLIENT-SIDE FORM HANDLER
// 1. Captures form data
// 2. Captures UTM parameters
// 3. Sends DIRECTLY to n8n webhook (bypassing WP database)

const WEBHOOK_URL = 'https://n8n.deepdormir.ai/webhook/patient-inquiry';

form.addEventListener('submit', async function(e) {
    e.preventDefault();
    const formData = new FormData(form);
    const payload = Object.fromEntries(formData.entries());
    
    // Append Metadata
    payload.submitted_at = new Date().toISOString();
    payload.source_url = window.location.href;
    
    // Send to n8n
    const response = await fetch(WEBHOOK_URL, {
        method: 'POST',
        headers: { 
            'Content-Type': 'application/json',
            'X-Form-Secret': 'YOUR-SECURE-KEY'
        },
        body: JSON.stringify(payload),
    });
    
    // UI Feedback Handling...
});

CHAPTER 7: n8n AUTOMATION — THE PHI FIREWALL

We use n8n to filter data before it reaches marketing platforms. This is the "PHI Firewall."

Node Logic: The CAPI Filter


// DEEPdormir — Meta CAPI Payload Builder (PHI FIREWALL)
// Explicitly documents what IS and IS NOT sent to Meta

// ── WHAT IS SENT (Allowlist) ──────────────
// ✅ event_name: "Lead" (Generic)
// ✅ event_time: Timestamp
// ✅ em / ph: SHA-256 HASHED email/phone (No plaintext PII)
// ✅ custom_data: lead_source, lead_campaign (Attribution only)

// ── WHAT IS BLOCKED (Denylist) ────────────
// ❌ Full Name (HIPAA Identifier #1)
// ❌ Message Body (Potential Health Info)
// ❌ Inquiry Type (Health Context)
// ❌ Source URL (e.g. /sleep-apnea-treatment)
// ❌ IP Address (HIPAA Identifier #15)

return {
    event_name: 'Lead',
    action_source: 'website',
    user_data: {
        em: [sha256(input.email)],
        ph: [sha256(input.phone)]
    },
    custom_data: {
        lead_source: input.utm_source
    }
};

CHAPTER 10: ADMINISTRATIVE SAFEGUARDS

10.4 — Breach Response Protocol

CONTAIN (1 Hour): Stop exposure, revoke access, preserve logs.
ASSESS (24 Hours): Apply the 4-Factor Risk Assessment test.
NOTIFY CLIENT (24 Hours): Inform DEEPdormir Privacy Officer.
NOTIFY REGULATORS: Client notifies HHS/Patients (within 60 days).
REMEDIATE: Fix vulnerability and update Risk Assessment.
DOCUMENT: Retain incident report for 6 years.

10.5 — Access Control Policy

Revocation Rule: Access for departed employees/contractors must be revoked within 1 hour of termination.

CHAPTER 11: DENTAL & SLEEP SPECIFIC CONSIDERATIONS

11.2 — The Online Review Protocol ($50k Risk)

Never confirm a patient's identity in a review response.

Approved Negative Response: "Thank you for sharing your feedback. We take all patient experiences seriously and are committed to high quality care. We'd welcome the opportunity to discuss your concerns directly — please contact us at [phone]."

11.3 — Patient Photography

Strict Rule: No patient photo (smile, sleep appliance fit, before/after) goes on the website or social media without a specific, signed HIPAA Media Authorization form stored in their file.

CHAPTER 12: THE COMPLETE COMPLIANCE CHECKLIST

Phase 1: Infrastructure

☐ GCP Project created & BAA signed
☐ WordPress VM & Cloud SQL created (Private IP)
☐ Audit logging enabled (6-year retention)
☐ MFA enforced on all GCP accounts

Phase 2: WordPress Hardening

☐ Plugins installed (Wordfence, WP 2FA, Activity Log)
☐ XML-RPC disabled
☐ Admin user not named "admin"
☐ 2FA enforced for all editors/admins

Phase 5: Forms & CAPI

☐ Custom HTML form deployed (No DB storage)
☐ CAPI workflow tested with Test Event Code
☐ Confirmed zero PHI in CAPI payload
☐ Browser-side Pixel removed/blocked

Phase 8: Administrative

☐ Notice of Privacy Practices published
☐ Staff HIPAA training completed & logged
☐ Risk Assessment documented
☐ BAA Master Log updated

APPENDIX: QUICK REFERENCE

Term	Definition
BAA	Business Associate Agreement. Required for all vendors touching PHI.
ePHI	Electronic Protected Health Information.
CAPI	Conversions API. Server-side tracking that allows PHI filtering.
Minimum Necessary	HIPAA rule limiting access to only what is needed for the role.
Paubox	HIPAA-compliant encrypted email provider.