Open Doors

Trust Center

HIPAA posture

When HIPAA applies to Open Doors workspaces and how to request a BAA.

Last updated: 24 April 2026

The US Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) is used and disclosed by covered entities and their business associates. Open Doors offers a HIPAA-configured workspace for qualifying customers on eligible plans.

Do you need HIPAA coverage?

HIPAA applies when you are a covered entity (healthcare provider, health plan, healthcare clearinghouse) or a business associate processing PHI. If the data your business handles about individuals includes protected health information, you likely need a Business Associate Agreement (BAA) with any vendor that touches that data, including Open Doors.

How HIPAA works in Open Doors

  • HIPAA is an Enterprise-plan feature; it is not available on lower tiers.
  • Before PHI can touch the platform, a signed BAA must be in place.
  • HIPAA-configured workspaces restrict certain integrations and features whose providers cannot sign a BAA or who do not support HIPAA use cases.
  • Audit logging is always-on and retention is extended to 6 years.
  • Custom fields designated as PHI are encrypted at the column level.
  • Access to the HIPAA workspace is gated by enforced 2FA and SSO where configured.

What we cover in our BAA

Our BAA addresses the elements required by 45 C.F.R. §164.504(e), including:

  • Permitted uses and disclosures of PHI.
  • Safeguards to prevent unauthorised use or disclosure.
  • Reporting of unauthorised use or disclosure, including breach notification timelines.
  • Sub-processor requirements and flow-down of obligations.
  • Access, amendment, accounting of disclosures for individuals.
  • Return or destruction of PHI at the end of the agreement.
  • Record-keeping and audit rights.

Request a BAA

Email legal@opendoors.ai with your workspace ID, entity name, and a brief description of the PHI you expect to process. We review eligibility, confirm your plan, and send the BAA for signature. Typical turnaround is 2-5 business days.

What you are responsible for

A BAA with Open Doors does not make you automatically HIPAA-compliant. You remain responsible for training staff, securing endpoints, controlling access to your own systems, contracting with your own sub-processors, and following the HIPAA Security Rule’s administrative, physical, and technical safeguards within your environment.

Questions about this page? Contact privacy@opendoors.ai.

← Back to Privacy & Security