HIPAA-aligned by architecture —
not by promise.
Most vendors ask you to trust them with PHI under a BAA. ASTIS is built so PHI plaintext does not cross the ASTIS edge in supported HYOK CVS flows — encrypted on your side, with keys and decryption authority kept in your own infrastructure.
Infrastructure access shouldn't mean PHI access.
PHI plaintext stays on your side of the boundary
Three properties that make ASTIS HIPAA-aligned by construction, not by policy.
Encrypted on your side
PHI is encrypted in your application or client before anything leaves your boundary. ASTIS receives sealed capsules and metadata — never patient data in clear.
Your infrastructure, your region
With HYOK CVS, the key vault runs in your own (US) infrastructure. Data residency and decryption authority stay under your control.
You hold the keys
Generate, rotate, and revoke keys yourself. Even ASTIS-operated services cannot read PHI — the decryption key is never ours to hold.
How ASTIS maps to the HIPAA Security Rule
Technical Safeguards (45 CFR §164.312) and the ASTIS capability that supports each. ASTIS is designed to support these controls — it is not a substitute for your own compliance program.
Encryption
§164.312(a)(2)(iv) · (e)(2)(ii)
PHI is encrypted client-side (AES-256-GCM, OpenPGP capsules). The ASTIS edge only ever handles encrypted capsules — never PHI in clear.
Access control
§164.312(a)(1)
Scoped API keys and customer-controlled keys gate every operation. With HYOK CVS, decryption authority stays entirely on your infrastructure.
Audit controls
§164.312(b)
A tamper-evident, hash-chained audit trail of cryptographic and key-management operations, exportable for your auditors.
Integrity
§164.312(c)(1)
Hash-based signing and verification prove records were not altered — without the signer ever seeing the document.
Transmission security
§164.312(e)(1)
Data is sealed before it leaves your boundary and travels as ciphertext; only protected artifacts cross the wire.
Where it fits in care delivery
Patient communication & referrals
Protected messages, documents, and referrals between providers, patients, and partners — without PHI becoming ordinary mailbox plaintext.
Lab, imaging & results
Encrypt results and reports client-side; recipients decrypt with their own keys. ASTIS never receives the contents.
Claims & prior authorization
Tokenize or format-preserve sensitive fields (MRN, member IDs) so downstream systems and vendors process data they cannot read.
Telehealth & connected apps
Embed encryption, signing, and customer-controlled keys into your own product so PHI stays sealed across your stack and AI tools.
Honest boundary
- • ASTIS is designed to support HIPAA-aligned architectures. HIPAA compliance depends on your implementation, policies, BAA, access controls, risk analysis, and operational safeguards — the HIPAA Security Rule requires administrative, physical, and technical safeguards across your organization, not a single vendor control.
- • A Business Associate Agreement (BAA) is available for Enterprise and HYOK CVS deployments. Because PHI plaintext does not cross the ASTIS edge in supported HYOK CVS flows, ASTIS's footprint as a PHI processor is minimal — the BAA covers a surface that, by design, does not receive PHI plaintext.
- • Verifiable today via internal dogfood and independently verifiable artifacts; SOC 2 Type II is in progress (CASA Tier 2 complete). Not yet a third-party HIPAA audit.
- • For US data residency, the key vault and decryption run in your own US infrastructure under HYOK CVS.
Keep PHI where it belongs — with you.
Let's scope a HIPAA-aligned deployment for your workflows and data-residency needs.
Talk to ASTIS