Healthcare customers can enable HIPAA mode on their Helios organization. This page documents exactly what the mode enforces, what the customer must still do, and how to execute a Business Associate Agreement (BAA).
What HIPAA mode enforces
When enabled (via the SaaS console, Enterprise tier required), the following changes take effect across the organization:
| Setting | Default | HIPAA mode |
|---|---|---|
| Password minimum length | 8 | 12 |
| Session cookie expiry | 7 days | 12 hours |
| Session cache TTL | 60 seconds | 15 seconds |
| Email OTP as a 2FA method | available | disabled |
| Allowed 2FA methods | TOTP / passkey / email / backup codes | TOTP / passkey / backup codes |
| Audit log retention | per plan | minimum 7 years |
| Audit export | Enterprise tier feature | enabled by default |
| Background-job log retention | 30 days | 7 years |
We also gate the AI’s access to fields tagged as PHI behind explicit per-role grants, and require step-up authentication (passkey or fresh password) for any PHI export.
What the customer must still do
HIPAA is a shared responsibility. Helios runs the technical controls; the customer is responsible for:
- Designating a HIPAA Privacy Officer + Security Officer.
- Training employees on PHI handling.
- Granting permissions only to workforce members who need PHI access.
- Removing access when a workforce member leaves.
- Monitoring the audit log for unauthorized access.
- Conducting required risk assessments.
Business Associate Agreement (BAA)
To process PHI through Helios, you must have an executed BAA with us. To get one:
- Email legal@heliosworks.com with subject “HIPAA BAA request”.
- Include your organization name, the entity that will counter-sign, and your Helios tenant.
- We send the standard BAA (with limited negotiable terms) within 3 business days.
- Once signed, we activate HIPAA mode on your organization.
Sub-processors and PHI
Not every sub-processor is BAA-covered. If you process PHI:
- Email provider must be SES or Postmark (both BAA-eligible). Resend and Mailgun are not BAA partners today.
- AI inference: Anthropic offers BAA; OpenAI offers BAA on the API. Confirm the model + tier before routing PHI through inference.
- Object storage: S3 with BAA-eligible AWS account is required.
The SaaS console flags any sub-processor that’s not BAA-eligible when HIPAA mode is active.
What’s still queued
- Push 2FA: stable API contract; not yet enforced in HIPAA mode. Use TOTP or passkey today.
- SOC 2 Type II: audit on roadmap; HIPAA mode does not depend on SOC 2.
Contact
- Legal: legal@heliosworks.com
- Security: security@heliosworks.com
- General: hello@heliosworks.com