HIPAA Compliance

HIPAA Compliance Notice

How Clevver meets and exceeds HIPAA requirements for protected health information.

Our Commitment to Healthcare Data Protection

Clevver is built on a foundation of permanent, encrypted storage that inherently satisfies the technical safeguard requirements outlined in the HIPAA Security Rule. Every document stored on Clevver is encrypted with AES-256 by default, stored immutably across a distributed network, and accessible only by authorized parties who hold the decryption keys.

This architecture was not retrofitted for compliance. It is the core design of the platform, which means healthcare organizations benefit from HIPAA-ready infrastructure without additional configuration or add-on security packages.

Technical Safeguards

The following capabilities map directly to HIPAA Security Rule requirements:

§ 164.312(a)(2)(iv)

AES-256 Encryption by Default

All data is encrypted with AES-256 before it is written to storage. Encryption is not optional and cannot be disabled. This satisfies the HIPAA encryption and decryption implementation specification for electronic protected health information (ePHI) at rest.

Zero-Knowledge

Zero-Knowledge Architecture

Clevver cannot access, read, or decrypt your documents. Only the user who stored the data holds the keys necessary to retrieve and decrypt it. This eliminates an entire category of insider-threat risk.

§ 164.312(c)(1)

Immutable Storage

Once a document is stored, it cannot be altered, overwritten, or deleted. This satisfies the HIPAA integrity controls requirement by ensuring that ePHI remains exactly as it was at the time of storage, providing a tamper-proof record.

§ 164.312(d)

Permanent Access Controls

Every stored document receives a unique, permanent URL. Combined with AES-256 encryption, only parties with the correct credentials can retrieve and decrypt the content. This satisfies the person or entity authentication standard.

§ 164.308(a)(7)

Distributed Redundancy

Data is stored across a geographically distributed network of independent nodes. This exceeds the HIPAA contingency plan requirements for data backup and disaster recovery by ensuring no single point of failure can result in data loss.

§ 164.312(b)

Audit-Ready by Design

Every storage event is permanently recorded on the underlying distributed ledger. These records are immutable and independently verifiable, providing a built-in audit trail that satisfies HIPAA audit controls requirements.

Administrative Safeguards

  • No Clevver employee can access, view, or decrypt user-stored data due to the zero-knowledge architecture.
  • Immutable storage creates a tamper-proof record of all stored documents, supporting audit and compliance review processes.
  • Content enforcement policies are maintained per the Clevver Terms of Service.
  • The platform operates on energy-efficient Proof of Stake consensus, ensuring long-term operational sustainability without reliance on any single data center or provider.

Important Disclosures

Clevver is committed to transparency about what our platform does and does not provide:

  • Business Associate Agreements (BAAs): Clevver does not sign BAAs at this time. Because of our zero-knowledge architecture, Clevver never has access to unencrypted ePHI and therefore does not meet the HIPAA definition of a Business Associate in the traditional sense.
  • User Responsibility: Users are responsible for encrypting protected health information before uploading it to Clevver. The platform encrypts all data by default, but organizational HIPAA compliance policies and procedures remain the responsibility of the covered entity.
  • Technical Infrastructure: Clevver provides the technical safeguards and infrastructure. Organizational compliance, workforce training, and policy development are the responsibility of the healthcare organization using the platform.

Questions about HIPAA compliance?

Schedule a conversation with our team to discuss how Clevver fits into your organization's compliance strategy.