HIPAA readiness

Learn how to configure your Fluent workspace for HIPAA workflows and understand HIPAA mode settings.

6 min read Updated February 2, 2026

Fluent can be configured to support HIPAA-regulated workflows for language service providers, healthcare organizations, and interpreters handling protected health information (PHI). This guide explains how to set up your workspace for HIPAA compliance and how to enable HIPAA mode.

Important: If there is a conflict between this documentation and the terms of your Business Associate Agreement (BAA) with Fluent, the BAA controls.

Configuring Fluent for HIPAA

HIPAA’s Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Fluent provides the tools to help you meet these requirements—but proper configuration is your responsibility.

The sections below map Fluent’s features to the relevant HIPAA technical safeguard standards.

Access Control

HIPAA Reference: 45 CFR § 164.312(a)(1)

Access controls ensure that only authorized users can access ePHI. Fluent supports this through:

  • Role-based access control (RBAC): Assign users to roles with least-privilege permissions. Limit access to scheduling, billing, interpreter records, and PHI based on job function.
  • Team management: Organize users into teams with scoped access to specific customers, interpreters, or appointment types.
  • User provisioning and deprovisioning: Add users when they join; remove or deactivate them promptly when they leave. Deprovisioned users lose access immediately.
  • Unique user identification: Every user has a unique account. Shared accounts are prohibited under HIPAA mode.
  • Automatic session timeout: Sessions expire after a configurable period of inactivity. Users must re-authenticate to continue.

Best practice: Review user access quarterly. Remove users who no longer need access and audit role assignments for least-privilege compliance.

Audit Controls

HIPAA Reference: 45 CFR § 164.312(b)

Audit controls record and examine activity in systems containing ePHI. Fluent provides:

  • Comprehensive audit logs: All user actions—logins, record views, edits, exports, and deletions—are logged with timestamps and user IDs.
  • Log retention: Audit logs are retained for at least six years (or longer if required by your BAA or state law).
  • Log access: Workspace administrators can view and export audit logs for compliance reviews or incident investigations.
  • Tamper-evident storage: Logs are stored in append-only, immutable storage to prevent modification or deletion.

Integrity Controls

HIPAA Reference: 45 CFR § 164.312(c)(1)

Integrity controls protect ePHI from improper alteration or destruction. Fluent implements:

  • Input validation: All data submitted to Fluent is validated before storage to prevent corruption or injection attacks.
  • Change tracking: Edits to appointments, interpreter records, and billing entries are versioned. Previous values are retained for audit purposes.
  • Checksums and integrity verification: Stored data is verified against checksums to detect unauthorized changes.

Person/Entity Authentication

HIPAA Reference: 45 CFR § 164.312(d)

Authentication verifies that users are who they claim to be. Fluent supports:

  • Strong password requirements: Passwords must meet minimum length and complexity requirements. Common and compromised passwords are blocked.
  • OAuth 2.0 / OpenID Connect (OIDC) SSO: Integrate with your identity provider (e.g., Okta, Azure AD, Google Workspace) for centralized authentication and access management.
  • Multi-factor authentication (MFA): Require a second factor (authenticator app, SMS code, or hardware key) for all users or specific roles.
  • Session management: Active sessions are tracked. Users can view and revoke sessions from other devices.

Note: MFA is strongly recommended for all users with access to PHI. When HIPAA mode is enabled, MFA can be enforced organization-wide.

Data Retention & Disposal

HIPAA Reference: 45 CFR § 164.310(d)(2)(i)–(ii)

Retention and disposal policies ensure ePHI is kept only as long as needed and securely destroyed afterward. Fluent provides:

  • Configurable retention periods: Set retention periods for appointments, messages, and attachments based on your compliance requirements.
  • Automated purging: Data past its retention period is automatically queued for secure deletion.
  • Secure deletion: Deleted data is overwritten and removed from backups within the timeframe specified in your BAA.
  • Data export: Export your data before deletion if you need to retain it in your own systems.

Transmission Security

HIPAA Reference: 45 CFR § 164.312(e)(1)

Transmission security protects ePHI during electronic transmission. Fluent implements:

  • TLS encryption: All data in transit between your browser/app and Fluent servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All data stored in Fluent is encrypted using AES-256 encryption.
  • Secure APIs: All API endpoints require authentication and use HTTPS exclusively.
  • Email and SMS limitations: Automated notifications (confirmations, reminders) should not include PHI in the message body. Configure notifications to direct users to view details in-app.

Best practice: Avoid including PHI in SMS, email, or push notification bodies. Configure Fluent to send minimal alerts that direct recipients to view full details within the secure app.

Enable HIPAA mode

HIPAA mode is a workspace-level setting that enforces additional security controls required for handling PHI. When enabled, HIPAA mode:

  • Requires MFA for all users (if not already enforced via SSO)
  • Disables shared account creation
  • Enables enhanced audit logging
  • Restricts data export to authorized administrators
  • Applies stricter session timeout policies
  • Disables certain features that are not covered under the BAA

To enable HIPAA mode:

  1. Navigate to Settings → Security → HIPAA Configuration.
  2. Review the HIPAA mode requirements and confirm your workspace meets the prerequisites.
  3. Toggle Enable HIPAA mode to on.
  4. Acknowledge the HIPAA mode terms.
  5. Click Save changes.

Important: Beta features are not covered under the BAA. When HIPAA mode is enabled, beta features are automatically disabled for your workspace.

After enabling HIPAA mode, all users will be prompted to set up MFA on their next login (if not already configured). Users who do not complete MFA setup within 7 days will be locked out until they comply.

Deactivate HIPAA mode

If your organization no longer handles PHI or you need to disable HIPAA mode for another reason, you can deactivate it:

  1. Navigate to Settings → Security → HIPAA Configuration.
  2. Toggle Enable HIPAA mode to off.
  3. Confirm that you understand the security controls will be relaxed.
  4. Click Save changes.

Note: Deactivating HIPAA mode does not delete audit logs or change your data retention settings. However, enforced MFA and other HIPAA-specific controls will be relaxed.

FAQs

Does enabling HIPAA mode make Fluent HIPAA-compliant?

HIPAA mode configures Fluent with the technical safeguards required for handling PHI. However, HIPAA compliance also requires administrative and physical safeguards, workforce training, and a signed BAA. Fluent provides the tools; your organization is responsible for using them correctly.

Do I need a BAA with Fluent to use HIPAA mode?

Yes. If you are a covered entity or business associate handling PHI, you must have a signed Business Associate Agreement with Fluent before enabling HIPAA mode. Contact your account representative to request a BAA.

Can interpreters use the mobile app under HIPAA mode?

Yes. The Fluent mobile app supports HIPAA mode. Interpreters will be required to use MFA and will be subject to the same session timeout and security policies as web users.

What happens to beta features when HIPAA mode is enabled?

Beta features are automatically disabled when HIPAA mode is enabled. Beta features are not covered under the BAA because they have not completed full security review.

Can I include PHI in support requests?

No. Support requests should not include PHI. If you need to reference specific records, use anonymized identifiers or work with your account representative to establish a secure channel.

How do I report a security incident?

If you suspect a security incident involving PHI, contact Fluent immediately at security@fluentworks.com. Include a description of the incident, the approximate time it occurred, and any relevant details (without including PHI in the email).

Questions about HIPAA configuration? Contact your account representative or email support@fluentworks.com.