HIPAA Compliance Posture

This page describes Tallyfy, Inc.'s HIPAA compliance posture. It applies to engagements where Tallyfy, Inc. acts as a HIPAA Business Associate under an executed Business Associate Agreement with a covered entity. The Tallyfy SaaS workflow product, by default, does not process Protected Health Information and is not operated under any customer-facing BAA. Customers who require PHI processing must confirm specific HIPAA scope with Tallyfy before onboarding.

1. Our programme

Tallyfy, Inc. maintains a HIPAA compliance programme governed by policies mapped to the HIPAA Security Rule (45 CFR § 164.308, § 164.310, § 164.312, § 164.314, § 164.316), the HIPAA Privacy Rule (45 CFR Part 164 Subpart E), and the HIPAA Breach Notification Rule (45 CFR § 164.400-414). The programme is operated alongside Tallyfy's SOC 2 Type II control environment, with approximately 60-70% of HIPAA Security Rule safeguards satisfied through shared controls (access management, encryption, audit logging, incident response, workforce onboarding, vendor management).

Designated officers

  • HIPAA Security Officer: Amit Kothari, Chief Executive Officer — amit@tallyfy.com
  • HIPAA Privacy Officer: Pravina Pindoria, Chief Operating Officer — pravina@tallyfy.com

Policies

Tallyfy maintains a full HIPAA policy set covering: programme overview and applicability, risk analysis and management, Security Officer and Privacy Officer designations, workforce training and security (with sanction policy), information access management, security incident procedures, contingency planning, periodic evaluation, BAA management, physical safeguards, technical access controls, audit controls, integrity and transmission security, and breach notification.

Risk analysis

Tallyfy conducts formal HIPAA risk analysis annually following NIST SP 800-30 Rev 1 methodology and refreshes the analysis on any material change (new subcontractor, significant architecture change, post-incident review). The risk analysis informs mitigation priorities and is cross-referenced with the SOC 2 risk register.

Workforce training

Every workforce member with potential PHI access completes HIPAA training at onboarding and annually thereafter. Training covers the PHI boundary, minimum-necessary standard, incident reporting, physical and technical safeguards, and sanction policy. Completion is documented via signed attestation.

2. When Tallyfy acts as a Business Associate

Tallyfy, Inc. acts as a HIPAA Business Associate when:

  1. A covered entity client and Tallyfy execute a Business Associate Agreement.
  2. The engagement involves Tallyfy creating, receiving, maintaining, or transmitting PHI on behalf of the covered entity.

In the absence of an executed BAA, Tallyfy does not handle PHI. For advisory or consulting engagements where PHI does not flow through Tallyfy systems, Tallyfy offers a Custom Data Processing Agreement in place of a BAA; the cloud vendor (AWS, Google, Anthropic) signs any BAA covering its own services.

Business Associate Agreement template

Tallyfy, Inc.'s client-facing BAA template is based on the HHS sample BAA provisions, with additions covering subcontractor flow-down, a liability cap consistent with the underlying services agreement, and a 30-day Business-Associate-to-Covered-Entity breach notification window (matching the HHS Model; tighter than the 60-day HIPAA default for covered-entity-to-individual notification).

3. Subcontractors with PHI access

Tallyfy's intentional PHI-capable subcontractor scope is limited to:

  • Google LLC (Google Workspace services) — under the Google Workspace HIPAA Business Associate Amendment. Covered services include Gmail, Drive, Docs, Meet, and Calendar within the HIPAA-scoped organisational unit.
  • Anthropic PBC (Claude Enterprise) — under Anthropic's HIPAA-ready Enterprise BAA. Covered services include Claude Chat, Projects, Artifacts, Voice Mode, Web Search, Research, and Skills when enabled by the administrator.

PHI does not flow to any other subcontractor in Tallyfy's vendor stack.

4. Technical safeguards

  • Access control. Unique user ID per workforce member; multi-factor authentication mandatory on every PHI-capable account; automatic session timeout (1 hour on Google Workspace; vendor-maximum on Anthropic); emergency access procedure with named approving officer.
  • Audit controls. Google Vault retention configured to at least 6 years for the PHI-scoped organisational unit; Anthropic audit logs retained per Enterprise plan; quarterly log review by the Security Officer.
  • Integrity. Vendor-native integrity controls (Google, Anthropic); workforce member attribution on every PHI touch via audit logs.
  • Authentication. Password + MFA via authenticator app or hardware key. SMS MFA is not permitted for PHI-capable accounts.
  • Transmission security. TLS 1.2 or higher for all PHI access; S/MIME or equivalent for PHI leaving Google Workspace to external systems.
  • Encryption at rest. AES-256 via vendor encryption (Google Workspace, Anthropic); full-disk encryption on workforce endpoints.

5. Physical safeguards

Tallyfy operates remote-first. There is no Tallyfy facility that stores PHI. Workforce endpoints are secured under a BYOD policy with full-disk encryption, screen lock, up-to-date OS and security patches, and device-level MFA or biometric unlock. Lost or stolen devices are reported to the Security Officer within 4 hours of discovery.

6. Breach notification

In the event of a Breach of Unsecured PHI, Tallyfy notifies the affected covered entity in writing within 30 calendar days of discovery, matching the HHS Model BAA default. Notification includes: identification of individuals affected, nature and extent of PHI involved, date of breach and discovery, mitigation steps taken, and Tallyfy contact information. The covered entity's own notification obligations to affected individuals, to HHS, and (where applicable) to media remain the covered entity's responsibility; Tallyfy cooperates fully.

7. Attestation documents

For qualified prospects and customers under NDA, Tallyfy provides:

  • SOC 2 Type II Letter of Attestation
  • Custom Data Processing Agreement
  • Business Associate Agreement template (Tallyfy-branded, for healthcare engagements)
  • HIPAA policy summary

Request via amit@tallyfy.com.

8. What Tallyfy does not claim

Tallyfy, Inc. does not currently hold HITRUST CSF certification, ISO 27001 certification, FedRAMP authorisation, or CMMC authorisation. Tallyfy's HIPAA posture is derived from operational programme design and its SOC 2 Type II control environment, not from a HIPAA-specific third-party attestation. HIPAA itself does not offer or require government-issued certification; compliance is demonstrated by maintaining the programme, cooperating with OCR in any investigation, and operating under executed BAAs with covered entity clients.

9. Contact

  • Amit Kothari — Chief Executive Officer and HIPAA Security Officer — amit@tallyfy.com
  • Pravina Pindoria — Chief Operating Officer and HIPAA Privacy Officer — pravina@tallyfy.com
  • Entity: Tallyfy, Inc. — Delaware C-Corporation — 911 Washington Avenue, Suite 500, St. Louis, MO 63101
  • Phone: +1 314 556 5324
Follow Tallyfy