Project

General

Profile

Actions
History

Wiki »

Tingg Insight HIPAA Compliance Scope and Applicability

Product: Tingg Insight
Platform: Tingg Platform
Version: v1.0
Status: Draft
Owner: Product / Compliance
Last Updated: [Date]

1. Purpose

This document defines the scope and applicability of HIPAA compliance for the Tingg Insight product, which operates as a module within the broader Tingg Platform.

The purpose of this document is to:

  • Clearly establish what is in scope and out of scope for HIPAA
  • Prevent ambiguity during development, testing, and audits
  • Serve as the authoritative boundary document for all HIPAA-related work

This document must be read in conjunction with:

  • HIPAA Compliance BRD
  • HIPAA Compliance Epics & User Stories
  • HIPAA Test & Evidence Plan

2. Regulatory Framework

The following HIPAA regulations are applicable to Tingg Insight within the defined scope:

  • HIPAA Privacy Rule (45 CFR §164.500–534)
  • HIPAA Security Rule (45 CFR §164.302–318) ** Administrative Safeguards ** Technical Safeguards * Physical Safeguards *(limited applicability – see exclusions)

Note: Tingg Insight is designed to be HIPAA-eligible, not inherently HIPAA-certified. Compliance depends on correct configuration and operational practices by the customer.

3. In-Scope Products & Modules

3.1 In-Scope Product

  • Tingg Insight

Tingg Insight is a survey, assessment, and insights module that may collect, process, store, or analyze data that qualifies as Protected Health Information (PHI) when configured for healthcare-related use cases.

3.2 Out-of-Scope Products

The following Tingg Platform products are explicitly out of HIPAA scope:

  • Tingg Career (ATS / Recruitment)
  • Tingg KM (Knowledge Management)
  • Marketing websites, landing pages, blogs
  • Admin portals not directly interacting with PHI
  • Experimental or beta modules not explicitly approved

4. In-Scope Features (Tingg Insight)

The following Tingg Insight features are within HIPAA scope when used to handle PHI:

  • Survey and assessment response collection
  • Storage of responses containing PHI
  • Analytics and reporting dashboards derived from PHI
  • User authentication and authorization for PHI access
  • Audit logging related to PHI access and modification
  • Data export features involving PHI (CSV, API, integrations)

Important: Feature inclusion in scope depends on actual usage.
A feature may be in scope for one customer and out of scope for another.

5. Out-of-Scope Features

The following features are explicitly excluded from HIPAA scope:

  • Anonymous surveys with no PHI fields
  • Static content pages (instructions, help text, thank-you pages)
  • UI theming and branding configuration
  • Survey templates without PHI
  • Client-side analytics not tied to identifiable individuals
  • Non-production environments used for demos or marketing

6. In-Scope Data (PHI Definition)

For Tingg Insight, Protected Health Information (PHI) includes, but is not limited to:

  • Names, email addresses, phone numbers when linked to health data
  • Medical conditions, symptoms, or diagnoses
  • Treatment-related survey responses
  • Identifiers such as patient IDs or appointment references
  • Any combination of identifiers and health-related information

PHI determination is contextual and depends on:

  • Survey configuration
  • Question types
  • Customer use case

7. Out-of-Scope Data

The following data types are out of HIPAA scope:

  • Fully anonymous responses with no identifiers
  • Aggregated or de-identified analytics
  • System metadata (timestamps, request IDs) unless linked to PHI
  • Platform operational metrics
  • Billing and subscription data

8. In-Scope Users & Roles

The following user roles may have access to PHI and are therefore in scope:

  • Customer administrators
  • Authorized internal platform administrators
  • Support personnel with approved PHI access
  • Compliance or audit users

Access to PHI is governed by:

  • Role-based access control (RBAC)
  • Least privilege principles
  • Audit logging

9. Out-of-Scope Users

The following users are not considered in scope:

  • Survey respondents (data subjects)
  • Marketing users
  • Sales users
  • Unauthenticated public users
  • Internal users without PHI access

10. Environment Scope

In-Scope Environments

  • Production environments handling real customer data
  • Disaster recovery and backup systems containing PHI

Out-of-Scope Environments

  • Local development environments
  • Test or staging environments with synthetic data
  • Demo environments
  • Developer sandboxes

11. Shared Responsibility Model

HIPAA compliance for Tingg Insight follows a shared responsibility model.

Tingg (Platform Owner) Responsibilities

  • Application-level security controls
  • Access control mechanisms
  • Audit logging
  • Encryption at rest and in transit
  • Secure software development practices

Customer Responsibilities

  • Correct configuration of surveys
  • Determination of PHI fields
  • User access management
  • Operational policies and procedures
  • Business Associate Agreement (BAA) management

12. Assumptions & Constraints

  • Tingg Insight is HIPAA-eligible, not automatically HIPAA-compliant
  • Compliance depends on customer usage and configuration
  • This scope may evolve based on: ** New features ** Regulatory changes ** Customer requirements

13. Scope Change Management

Any change to this scope must:

  • Be reviewed by Product and Compliance
  • Be documented as a new version
  • Trigger a review of impacted Epics, Stories, and Tests

14. Approval

*. Role *. Name Date
Product Owner [TBD]
Compliance Owner [TBD]
Engineering Lead [TBD]

Updated by rashmita rout about 5 hours ago · 1 revisions