Safeguards
Encryption. Sensitive fields are encrypted at rest (AES-256) in a dedicated vault with its own key, separate from your operational data, and encrypted in transit (TLS). Masked by default. A sensitive value shows as[redacted] everywhere — UI, internal tooling, and AI. Seeing the real value always takes a deliberate, logged reveal.
Decrypted only to run. During automated processing, a value is decrypted only while your workflow runs — never stored in the clear afterward.
Reveal is admin-only and always logged. Only an admin in your organization can reveal a value, and a value can be revealed only when the access is recorded — there is no path to see a sensitive value without writing an audit entry. Champ staff cannot reveal values at all.
Immutable audit log. Every reveal is recorded — who, which field, when — in an append-only log that can’t be edited or deleted. Logs hold no PHI and are kept at least six years (longer where state law requires), so purging PHI never erases the trail.
Sensitive by default. On a protected workflow every field is treated as sensitive unless you explicitly mark it otherwise, so encryption, masking, and logging apply automatically. Champ also rejects undeclared fields on protected workflows to prevent accidental leaks.
Tenant isolation. Each customer’s data is isolated; no customer can reach another’s.
Unreadable outside production. The key that decrypts sensitive data exists only in production — sensitive values cannot be read in any other environment.
Retention & disposal. Because sensitive values live in a separate vault, they can be purged on a schedule we agree — permanently erasing the values while your non-sensitive case history stays intact.
How this maps to HIPAA
| Safeguard | How Champ addresses it |
|---|---|
| Access Control — §164.312(a)(1) | Reveal limited to your admins; tenant isolation |
| Audit Controls — §164.312(b) | Append-only log of every access to a sensitive value |
| Integrity — §164.312(c)(1) | Authenticated encryption detects tampering; audit log is insert-only |
| Encryption — §164.312(a)(2)(iv), (e)(2)(ii) | AES-256 at rest in an isolated vault; TLS in transit |
| Minimum Necessary — §164.502(b) | Masked by default; revealed one field at a time |
| Retention & Disposal — §164.310(d)(2)(i) | Vaulted values purgeable on an agreed schedule, independent of operational data |
Working together
Champ provides these safeguards; you decide which data is sensitive and who has admin access.We’re happy to discuss a Business Associate Agreement (BAA) and review these controls with your security team. Questions? Contact your Champ representative.