Compliance

HIPAA · BAA Process

Strategic AI Architects signs a Business Associate Agreement before any client work that touches protected health information begins. Every build for a Medicare, ACA, health, or life insurance agency runs on HIPAA-eligible AWS and Azure services, keeps analytics server-side and consent-gated, and logs every access to client data for six years.

Want us to walk your agency through it? Book a strategy call and we'll map the process to your book of business.

Mike Moore on HIPAA compliant tracking and the BAA process
Mike Moore, Founder of Strategic AI Architects

Do you sign a Business Associate Agreement?

Yes. Strategic AI Architects signs a BAA before any work that creates, receives, maintains, or transmits protected health information (PHI) begins, not after launch. The signed agreement is part of your onboarding paperwork.

Under HHS guidance on business associates, a vendor that handles PHI on behalf of a covered entity is a business associate and must operate under a written BAA. Insurance agencies selling Medicare, ACA, or health products are squarely in that world, so we treat every quote form, plan finder, and lead record as PHI from the first day of a Digital Foundation build. Subcontractors that touch the same data sign downstream BAAs before they get access.

Which HIPAA-eligible AWS and Azure services do you use?

Only services covered by our signed cloud BAAs. On AWS that means HIPAA-eligible services such as EC2, S3, RDS, Lambda, and CloudFront under the AWS Business Associate Addendum. On Azure it means services inside Microsoft's HIPAA and BAA scope, such as App Service, Azure SQL Database, and Blob Storage.

PHI is never routed through a service outside that eligibility list. Data is encrypted at rest with AES-256 and in transit with TLS 1.2 or newer, storage buckets holding lead data are private by default, and access keys are scoped to the minimum each worker needs. When a client already has a cloud account, we verify their BAA with the provider is executed before any health data lands in it.

How is tracking kept server-side?

No client-side GA4, Google Tag Manager, or Meta Pixel fires on pages tied to health conditions, coverage, or enrollment. Analytics run server-side, behind a consent gate, with identifiers stripped or truncated before any event leaves the site.

The HHS Office for Civil Rights, in its guidance on the use of online tracking technologies by HIPAA covered entities and business associates, explains that an IP address or device identifier combined with a visit to a health-related page can itself be PHI. Sending that combination to an ad platform with no BAA is exactly the exposure that has driven recent enforcement and class actions against insurance sites. Our answer is first-party, server-side event collection: conversions post from our servers, consent is captured before anything is measured, IP addresses are truncated, and no form field content ever rides along in an analytics payload. Not sure what your current site is firing? Run the free audit and it will flag every client-side pixel on your Medicare and ACA pages.

What audit trails exist?

Every build ships with three logs: access logs (who viewed or exported lead data, and when), change logs (every deployment and configuration change, tied to a person), and data-flow logs (where each lead record traveled, from form to CRM to carrier hand-off). All three are retained for six years, matching HIPAA's documentation retention requirement.

Logs are reviewed on a set schedule, anomalies trigger alerts rather than waiting for a quarterly report, and clients can request their log history at any time. Agencies on our Enterprise tier get expanded logging with scheduled compliance reports and a named point of contact for security reviews and incident response.

HIPAA questions agencies ask us

Does Strategic AI Architects sign a Business Associate Agreement?

Yes. We sign a BAA before any work that touches protected health information begins, and the signed agreement is delivered with your onboarding paperwork.

Is GA4 or Meta Pixel HIPAA compliant for insurance sites?

Not as client-side pixels on pages about health coverage. HHS guidance treats identifiers sent from those pages as protected health information, so we replace client-side pixels with server-side, consent-gated tracking.

Do Medicare and ACA agency websites need HIPAA compliance?

Yes. When quote forms, plan finders, or chat tools collect health information, the site handles protected health information and needs HIPAA safeguards, including a BAA with every vendor that touches that data.

How long do you keep audit logs?

Access, change, and data-flow logs are retained for six years, matching HIPAA's documentation retention requirement, and are available to clients on request.