Skip to Content
Privacy & Security

Privacy & Security

Patient privacy and data security are fundamental to Rosetta’s design. This page explains our privacy protections, security measures, and compliance with healthcare regulations.

HIPAA Compliance

Rosetta is designed to meet Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting Protected Health Information (PHI).

Business Associate Agreement (BAA)

For institutional use, Rosetta enters into Business Associate Agreements (BAAs) that:

  • Define responsibilities for PHI protection
  • Specify permitted uses and disclosures
  • Require breach notification procedures
  • Mandate security safeguards
  • Include audit and termination provisions

HIPAA Security Rule Compliance

Rosetta implements the three types of safeguards required by HIPAA:

1. Administrative Safeguards

  • Security Officer: Designated individual responsible for security policies
  • Workforce Training: All personnel trained on HIPAA requirements
  • Access Management: Role-based access controls
  • Incident Response: Procedures for security incidents
  • Risk Assessment: Regular security risk analyses

2. Physical Safeguards

  • Facility Access Controls: Secure data center facilities
  • Workstation Security: Device encryption requirements
  • Device Controls: Mobile device management policies

3. Technical Safeguards

  • Access Controls: Unique user IDs, automatic logoff
  • Audit Controls: Comprehensive logging of system activity
  • Integrity Controls: Protect data from improper alteration
  • Transmission Security: End-to-end encryption

Data Loss Prevention (DLP)

Google Cloud DLP Integration

Rosetta uses Google Cloud Data Loss Prevention API to automatically detect and protect PHI.

What DLP Detects

The system scans for and protects:

Personal Identifiers:

  • Full names (first and last)
  • Social Security Numbers (SSNs)
  • Medical Record Numbers (MRNs)
  • Account numbers
  • Email addresses
  • Phone numbers

Dates:

  • Dates of birth
  • Admission/discharge dates
  • Dates that could identify individuals

Locations:

  • Street addresses
  • Zip codes (if < 20,000 population)
  • Geographic subdivisions

Other Identifiers:

  • IP addresses
  • Device IDs
  • Biometric identifiers
  • License/certificate numbers

How DLP Works

Real-time Protection:

  1. As you type, DLP scans content client-side
  2. If PHI detected, visual warning appears
  3. Before data leaves your device, PHI is redacted
  4. Only de-identified data transmitted to AI system
  5. User notified of what was redacted

Example:

Input:

“John Smith, MRN 123456, born 01/15/1960”

DLP Output:

“[PERSON_NAME], MRN [MEDICAL_RECORD_NUMBER], born [DATE]”

User sees:

⚠️ PHI Detected and Protected: Personal identifiers have been removed from this text.

Automatic PHI Redaction

For AI queries, PHI is automatically redacted:

Without Redaction (Unsafe):

“What treatment for Maria Garcia, DOB 3/12/1985, with new diagnosis of Type 2 diabetes?”

With Redaction (Safe):

“What treatment for a patient with new diagnosis of Type 2 diabetes?”

The AI receives no patient-identifying information while still providing useful clinical guidance.

Data Encryption

In Transit

All data transmitted between your device and Rosetta servers:

  • TLS 1.3: Modern encryption protocol
  • Perfect Forward Secrecy: Each session has unique keys
  • Certificate Pinning: Prevents man-in-the-middle attacks

At Rest

All stored data is encrypted:

  • AES-256 Encryption: Industry-standard encryption
  • Key Management: Secure key storage using cloud KMS
  • Encrypted Backups: All backups encrypted
  • Database Encryption: Transparent data encryption (TDE)

Access Controls

Authentication

Multi-Factor Authentication (MFA):

  • Required for all users
  • Options: SMS, authenticator app, hardware key
  • Backup codes for account recovery

Password Requirements:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Cannot reuse last 12 passwords
  • Expires every 90 days (configurable)

Authorization

Role-Based Access Control (RBAC):

RolePermissions
ViewerRead-only access to shared documents
EditorCreate and edit own documents
AdminManage users, templates, settings
Super AdminFull system access, security settings

Principle of Least Privilege:

  • Users granted minimum necessary access
  • Regular access reviews
  • Automatic deprovisioning of inactive accounts

Session Management

  • Session Timeout: 30 minutes of inactivity (configurable)
  • Concurrent Session Limits: Prevent credential sharing
  • Device Management: Track and manage authorized devices
  • Remote Logout: Administrators can terminate sessions

Audit Logging

Comprehensive Activity Logs

All system activity is logged:

User Actions:

  • Login/logout events
  • Document creation, modification, deletion
  • Template usage
  • AI query submissions
  • Export operations
  • Access to sensitive features

System Events:

  • Failed authentication attempts
  • Permission changes
  • Configuration modifications
  • Backup operations
  • Security incidents

Audit Log Properties

  • Immutable: Cannot be altered or deleted
  • Timestamped: Precise time of each event
  • User Attribution: Linked to specific user accounts
  • Retained: Stored for minimum 6 years (configurable)
  • Searchable: Query logs for investigations

Audit Reports

Available audit reports:

  • Access Report: Who accessed what, when
  • Modification Report: Document edit history
  • Export Report: What data was exported
  • Failed Login Report: Potential security threats
  • PHI Detection Report: DLP system activity

Data Retention and Deletion

Retention Policies

Active Documents:

  • Retained as long as account is active
  • Accessible immediately
  • Backed up daily

Deleted Documents:

  • Moved to “Trash” for 30 days
  • Recoverable during trash period
  • Permanently deleted after 30 days

Backups:

  • Daily incremental backups
  • Weekly full backups
  • Retained for 90 days
  • Encrypted and geographically distributed

Right to Deletion

Users can request complete data deletion:

  1. Request Submitted: Via account settings or email
  2. Verification: Identity confirmation required
  3. Deletion Process: All data removed within 30 days
  4. Confirmation: Certificate of destruction provided
  5. Backups: Removed from backup cycles (purged within 90 days)

Data Portability

Export your data in standard formats:

  • Documents: PDF, DOCX, HTML, plain text
  • Metadata: JSON format
  • Activity Logs: CSV export (own activity only)

Breach Notification

Incident Response Plan

In the event of a security incident:

Phase 1: Detection & Containment (0-1 hour)

  • Detect and verify incident
  • Contain to prevent further exposure
  • Preserve evidence for investigation

Phase 2: Assessment (1-24 hours)

  • Determine scope of breach
  • Identify affected data and users
  • Assess risk to individuals

Phase 3: Notification (24-72 hours)

  • Notify affected individuals
  • Report to covered entities (BAA partners)
  • Report to HHS if required (500+ individuals)
  • Notify media if required (states with >500 residents affected)

Phase 4: Remediation

  • Implement fixes to prevent recurrence
  • Enhance security measures
  • Document lessons learned

User Notification

Affected users receive:

  • Email Notification: Details of incident
  • Affected Data: What information was exposed
  • Actions Taken: Steps to mitigate harm
  • Recommendations: What users should do
  • Support: Contact information for assistance

Privacy by Design

Minimal Data Collection

Rosetta collects only necessary data:

Required Information:

  • Name and email (authentication)
  • Role/specialty (relevant suggestions)
  • Usage data (improve service)

Not Collected:

  • Patient information (unless you enter it)
  • Unnecessary personal data
  • Third-party analytics without consent

De-identification

Documents can be de-identified for:

  • Research purposes
  • Quality improvement
  • Training and education
  • System development

De-identification Process:

  1. Remove all 18 HIPAA identifiers
  2. Statistical assessment of re-identification risk
  3. Expert determination (if required)
  4. Documentation of method used

Data Segregation

  • Tenant Isolation: Each organization’s data isolated
  • No Cross-Organization Access: Data never shared between organizations
  • Separate Encryption Keys: Unique keys per organization

Compliance Certifications

Current Certifications

Rosetta maintains:

  • HIPAA Compliance: Regular assessments and audits
  • SOC 2 Type II: Independent security audit (in progress)
  • HITRUST: Healthcare security framework (planned)

Regular Assessments

  • Penetration Testing: Annual third-party testing
  • Vulnerability Scanning: Weekly automated scans
  • Security Audits: Quarterly internal reviews
  • Risk Assessments: Annual comprehensive assessment

User Responsibilities

While Rosetta provides robust security, users must also:

Do:

  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Lock your workstation when away
  • Log out of shared computers
  • Report suspicious activity immediately
  • Keep software and browsers updated
  • Review access logs periodically

Don’t:

  • Share your login credentials
  • Use public Wi-Fi without VPN
  • Save passwords in browsers on shared computers
  • Take screenshots of PHI
  • Email or text login credentials
  • Leave devices unattended while logged in
  • Ignore security warnings

Frequently Asked Questions

Is Rosetta HIPAA compliant?

Yes. Rosetta is designed to meet HIPAA Security and Privacy Rule requirements and will enter into Business Associate Agreements for institutional use.

Where is my data stored?

Data is stored in HIPAA-compliant cloud infrastructure in the United States with encrypted backups in multiple geographic regions for redundancy.

Can Rosetta employees see my documents?

No. Documents are encrypted, and Rosetta employees do not have access to user content except:

  • With explicit written consent for support purposes
  • As required by law enforcement with valid legal process
  • For security incident investigation (de-identified when possible)

What happens if I forget my password?

Use the password reset feature. For security, Rosetta cannot retrieve your password—we can only help you create a new one.

How do I report a security concern?

Email philip@philipshih.org or use the “Report Security Issue” link in the app. All reports are taken seriously and investigated promptly.

Can I use Rosetta on my personal device?

Consult your institution’s policies. If permitted:

  • Ensure device is password-protected
  • Keep operating system updated
  • Use Rosetta’s automatic logout feature
  • Don’t save documents locally

Questions about privacy or security? Contact: philip.shih@ucsf.edu

Next Steps:

Last updated on
FAQGetting Started