Trust Center

Access Control Policy

Last updated: April 26, 2026 · Reviewed annually or upon material changes to the platform.

Purpose and Scope

This Access Control Policy is maintained in accordance with the HIPAA Security Rule, 45 CFR §164.312(a)(1), which requires covered entities and business associates to implement technical policies and procedures that allow only authorized persons or software programs to access electronic protected health information (ePHI).

This policy applies to all users of the Klinity platform, all members of the Klinity team, and all systems operated by Ax Hill Tecnologia da Informação LTDA that store, process, or transmit ePHI.

Guiding Principle: Minimum Necessary

All access to ePHI is governed by the minimum necessary standard (45 CFR §164.514(d)): users, systems, and team members are granted access only to the ePHI required to perform their specific function. No broader access is permitted.

User Access Model

Current model: one account per practitioner

Klinity currently operates on a one-account-per-practitioner model. Each user who registers on the platform is assigned a single, isolated account. All ePHI — appointments, audio files, transcriptions, clinical documents, and patient records — is bound to that account exclusively.

No data belonging to one account is accessible by any other account, regardless of authentication status. This isolation is enforced at the database query level: every query is scoped to the authenticated user's account_id, which is derived from the verified JWT token, not from any user-supplied parameter.

Unique user identification

Each user is identified by a unique, immutable sub (subject) UUID assigned by AWS Cognito at the time of registration. This identifier is used as the primary key for all user records and is referenced in every audit log entry. It cannot be changed or reused.

Authentication requirements

Access to the platform requires:

  • A valid email address confirmed via AWS Cognito's verification flow at registration.
  • A password meeting minimum complexity requirements, stored exclusively by AWS Cognito using its internal hashing mechanism. Klinity never stores, sees, or logs raw passwords.
  • A valid session token (JWT) issued by AWS Cognito and cryptographically verified on every API request using RS256 against Cognito's public JWKS endpoint.

Granting Access

Access to ePHI is granted automatically upon successful account registration and email confirmation. No manual provisioning step is required. The practitioner is the sole owner of their account from the moment of creation.

There is currently no mechanism to delegate or share account access with other users. All access is individual and non-transferable.

Revoking Access

Access is revoked in the following circumstances:

  • User-initiated deletion: the practitioner deletes their account via Settings. Access is revoked immediately via AWS Cognito's AdminDeleteUser operation, which invalidates all active sessions globally.
  • Administrative suspension: the Klinity team sets a banned_at timestamp on the user record. The authentication middleware checks this field on every request and returns a 403 response, preventing access to any ePHI even with a valid token.
  • Token expiry: Cognito access tokens expire according to the configured token lifetime. Expired tokens are rejected by the cryptographic verification step without any database lookup.
  • Global sign-out: when a user logs out, Klinity calls Cognito's GlobalSignOutCommand, which invalidates all refresh tokens for that user across all devices.

Emergency Access Procedure

In the event that normal authentication mechanisms are unavailable and emergency access to ePHI is required (e.g., to respond to a legal request, a confirmed security incident, or data recovery), the following procedure applies:

  1. Emergency access may only be initiated by the technical lead of Klinity and must be documented prior to or immediately after access.
  2. Access is performed via direct database connection, which requires AWS VPC access credentials managed by AWS Secrets Manager and subject to IAM role restrictions.
  3. All database activity during emergency access is recorded by AWS CloudTrail and the database connection log.
  4. A written record of the emergency access event — including the reason, the data accessed, and the actions taken — is retained for a minimum of six years.

Klinity Team Access to ePHI

Klinity team members do not have routine or application-layer access to users' clinical content. The platform provides no internal admin interface for browsing or searching patient records.

Infrastructure access (direct database or server access) is:

  • Restricted to personnel with a documented operational need.
  • Mediated through AWS IAM roles with least-privilege permissions.
  • Audited continuously by AWS CloudTrail.
  • Used only for maintenance, incident response, or regulatory compliance.

Any team member with infrastructure access receives training on ePHI handling prior to being granted credentials.

Policy Review

This policy is reviewed at least annually by the technical lead and updated as necessary to reflect changes in the platform's access control architecture, applicable regulations, or organizational structure. All material changes are documented with the date of revision and the nature of the change.