HIPAA Compliance Statement

About this statement

Etlworks LLC ("Etlworks") supports the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Privacy Rule, Security Rule, and Breach Notification Rule, as amended by the HITECH Act and subsequent regulations.

This statement explains how Etlworks operates as a Business Associate to covered entities and other business associates that process Protected Health Information ("PHI") through the Etlworks platform.

This statement does not replace the Business Associate Agreement (BAA), which governs the legal relationship between Etlworks and any customer processing PHI.

HIPAA-eligible deployments

HIPAA-eligible deployment is available on Enterprise plans only. This requirement exists because HIPAA compliance depends on:

Dedicated infrastructure. A dedicated instance — not shared with other customers — is required to meet HIPAA's segregation, audit logging, and access control requirements.
Signed Business Associate Agreement. No PHI processing is permitted on any Etlworks deployment without a BAA in place.
Configured safeguards. Customer-controlled settings (encryption, access roles, audit logging, retention) must be configured for HIPAA compliance before PHI flows begin.

Starter and Business plans run on shared infrastructure and are not HIPAA-eligible. Customers on these plans may not process PHI through Etlworks.

For on-premise deployments, customers retain full control of infrastructure and PHI never leaves the customer's environment. Etlworks supports HIPAA-compliant on-premise deployments under a separate licensing arrangement.

Business Associate role

When a customer processes PHI through Etlworks under a signed BAA, Etlworks acts as a Business Associate as defined in 45 CFR § 160.103.

In that role, Etlworks:

Processes PHI only as permitted by the BAA and the Etlworks Terms of Service.
Implements administrative, physical, and technical safeguards to protect PHI confidentiality, integrity, and availability.
Reports security incidents, breaches, and unauthorized disclosures to the customer as required by the BAA.
Ensures any subcontractors that may access PHI are bound by HIPAA-compliant agreements with the same protections.
Makes its practices and books available to the Secretary of Health and Human Services as required by HIPAA.
Returns or destroys PHI on termination of the BAA, where feasible.

Customers requesting a BAA can contact legal@etlworks.com.

Safeguards

Etlworks implements the following safeguards for HIPAA-eligible deployments:

Administrative safeguards

HIPAA training for all personnel with potential access to PHI, completed at hire and annually.
Role-based access controls; access reviewed quarterly and revoked promptly on role change or termination.
Documented security incident response procedures aligned with HIPAA breach notification requirements.
Workforce sanction policy for HIPAA violations.
Designated HIPAA Security Officer responsible for the security program.

Physical safeguards

All hosting on SOC 2 Type II-audited cloud infrastructure (AWS, Azure, GCP, Oracle Cloud, IBM Cloud) with physical access controls managed by the cloud provider.
Workforce devices encrypted at rest. PHI may not be stored on personal or unmanaged devices.
Secure media disposal procedures for any physical media that has held PHI.

Technical safeguards

Encryption in transit: TLS 1.2 or higher for all connections.
Encryption at rest: AES-256 for PHI stored in cloud infrastructure.
Access control: unique user identification, automatic session timeout, role-based permissions.
Multi-factor authentication required for administrative access to production systems.
Audit logging: all access to PHI logged with user, timestamp, action, and source. Logs retained for at least six years per HIPAA requirements.
Integrity controls: hash verification and write-once audit logs to detect tampering.
Transmission security: end-to-end encryption, network segmentation, and intrusion detection.

AI agent and PHI

Customers can fully disable the Etlworks AI agent (Simba) — and all AI usage on the account — at any time. HIPAA-eligible customers should review whether agent use fits their compliance posture and disable it if it doesn't.

When the agent is used on a HIPAA-eligible account:

The agent operates only on data within the customer's account, only when invoked by an authorized user.
The agent does not train AI or machine learning models on customer data, including PHI.
All agent actions are logged in the same audit trail as other system activity.
Customer remains responsible for ensuring agent use complies with HIPAA — particularly when the agent reads or transforms PHI as part of building or running flows.

Disabling the agent removes all AI features on the account, including the in-product chat assistant and any LLM-backed transformations. An account administrator can disable or re-enable AI usage at any time from account settings.

Sub-contractors

Any subcontractor that may access PHI on Etlworks's behalf is bound by a HIPAA-compliant agreement with the same protections required of Etlworks under the BAA.

Cloud infrastructure providers (AWS, Azure, GCP, Oracle Cloud, IBM Cloud) are HIPAA-eligible under their own BAAs with Etlworks. Customers can choose the provider and region for their dedicated Enterprise instance.

Other sub-processors (Stripe, Paywhirl, Zendesk) do not have access to PHI and are not used to process PHI.

Breach notification

HIPAA requires breach notification to affected individuals within 60 days of discovery, and to the Secretary of Health and Human Services within 60 days (for breaches affecting 500 or more individuals) or annually (for breaches affecting fewer than 500).

Etlworks notifies customers of confirmed security incidents that may involve PHI without unreasonable delay, and in any event within 72 hours of confirmation — well ahead of the regulatory minimum. The notification includes the nature of the incident, the categories of PHI affected (where determinable), steps taken to mitigate impact, and recommended customer actions.

For confirmed breaches, Etlworks works directly with the customer to support required notifications to individuals, regulators, and (where applicable) media.

Customer responsibilities

HIPAA compliance is a shared responsibility. Etlworks secures the platform; customers must configure and use it correctly. Customer responsibilities include:

Signing a BAA before processing any PHI. Without a signed BAA, no PHI is permitted on the platform.
Configuring access controls. Use role-based permissions, enable MFA, and review user access regularly.
Managing flows responsibly. Ensure flows that handle PHI route only to HIPAA-eligible destinations and that any transformations preserve the minimum necessary principle.
Encrypting at the source where required. Etlworks encrypts data in transit and at rest, but customers may have additional encryption requirements for specific PHI categories.
Monitoring audit logs. Etlworks provides audit logs; customers are responsible for reviewing them as part of their HIPAA compliance program.
Notifying Etlworks of security concerns. If a customer suspects unauthorized access or use of PHI, they must notify Etlworks promptly.
Disabling the AI agent or limiting its scope when appropriate for the customer's risk profile.

Etlworks provides documentation and support to help customers meet these responsibilities, but the customer remains the covered entity (or upstream business associate) and bears primary responsibility for HIPAA compliance.

Related compliance

Etlworks's HIPAA program is supported by:

SOC 2 Type II — annual audits covering security, availability, and confidentiality.
GDPR — for customers with EU operations, see our Data Processing Addendum.
CCPA / CPRA — for California residents, see our Privacy Policy.

SOC 2 Type II reports are available to enterprise customers under NDA. Other compliance documentation can be requested at security@etlworks.com.

Changes to this statement

We update this statement when HIPAA regulations change, our safeguards change, or our sub-processors change. Material changes are communicated to HIPAA-eligible customers at least 30 days in advance and may also be reflected in updates to the BAA.

The "Last updated" date at the top reflects the most recent revision.

HIPAA Compliance Statement.