HIPAA Readiness Roadmap
PancreaTrack is not currently a HIPAA-covered entity or Business Associate. This page explains our current status, what protections are already in place, and our concrete path toward HIPAA compliance.
PancreaTrack is a consumer health application. Physicians should not consider it a covered HIPAA system at this time. Patient data shared through the platform should be treated accordingly.
What Is Already in Place
| Control | Status |
|---|---|
| TLS encryption in transit | ✅ Active |
| Bcrypt password hashing | ✅ Active |
| Role-based access (patient vs. physician) | ✅ Active |
| Physician NPI verification | ✅ Active |
| Patient consent before physician access | ✅ Active |
| Audit trail for physician data access | 🔄 Planned Q3 2026 |
| Database encryption at rest | 🔄 Planned Q3 2026 |
| Formal BAA (Business Associate Agreement) | 🔄 Planned Q4 2026 |
| Annual security risk assessment | 🔄 Planned Q4 2026 |
| Workforce training documentation | 🔄 Planned Q4 2026 |
| Breach notification policy | 🔄 Planned Q4 2026 |
| Penetration testing | 🔄 Planned Q1 2027 |
Roadmap Milestones
Q3 2026 — Technical Hardening
- Implement database encryption at rest
- Add audit logging for all physician data access events
- Implement automatic session timeout policies
- Complete dependency security audit
Q4 2026 — Policy & Administrative Controls
- Draft and publish Privacy Policy and Terms of Service aligned with HIPAA standards
- Establish breach notification procedures
- Execute Business Associate Agreements with Anthropic and Stripe
- Complete workforce (team) HIPAA training documentation
Q1 2027 — Formal Assessment
- Engage third-party HIPAA compliance auditor
- Commission penetration test
- Remediate findings
- Publish compliance attestation
PancreaTrack is designed with HIPAA compliance as a primary goal. Our current status reflects the realities of an early-stage platform. Pilot studies using PancreaTrack data should include appropriate IRB disclosure of the current compliance status.
Questions?
For compliance-related inquiries — from health systems, IRBs, or potential partners — contact us at compliance@pancreatrack.com.