Security and compliance at UNMIRI

UNMIRI operates as a Business Associateunder HIPAA when engaged by covered entities, including diagnostic laboratories. Before any Protected Health Information flows through UNMIRI's systems, UNMIRI executes a Business Associate Agreement with the covered entity. The BAA governs UNMIRI's use of PHI and establishes breach notification, subcontractor, and data handling obligations.

UNMIRI is HIPAA-ready— the technical infrastructure, subprocessor contracts, and internal policies and procedures required to support a covered entity's HIPAA compliance are in place. HIPAA is not a certification; no entity is “HIPAA-certified.” UNMIRI does not make that claim.

Technical safeguards

• Encryption at rest: AES-256 across every storage system that could hold PHI.
• Encryption in transit: TLS 1.3 on every external edge and on internal service-to-service traffic.
• Access controls: role-based access with multi-factor authentication enforced on every production account.
• Audit logging: every PHI access and modification logged to an immutable audit trail.
• Breach notification:within the 60-day window required by HIPAA, following UNMIRI's Breach Notification procedure.
• HIPAA Security Risk Analysis: completed and maintained annually.
• HIPAA Policies and Procedures: documented and available to covered entities under NDA on request.

UNMIRI maintains a current subprocessor list. BAAs are in place with every subprocessor that could touch PHI. A live, independently-maintained list is published at /security/subprocessors.

The canonical subprocessor list is maintained at /security/subprocessors and updated within 10 business days of any material change. Covered-entity customers receive email notification of material changes.

When a lab sends an NGS report to UNMIRI for processing, the following occurs:

1. The report is received over an encrypted channel and stored in UNMIRI's HIPAA-covered storage environment.
2. Extraction converts the PDF to structured variant data. De-identified variant data is used for downstream processing; direct PHI identifiers (patient name, MRN, DOB) are stripped before graph queries or LLM calls.
3. The structured variant data is queried against UNMIRI's knowledge graph — built on OncoKB, ClinVar, ClinicalTrials.gov, and openFDA drug labels — to retrieve matched drugs, evidence levels, and clinical trials. No PHI is included in graph queries.
4. The 2-page cheat sheet is rendered by deterministic templates, not by an LLM. PHI identifiers are re-attached at the rendering step to produce the final deliverable.
5. The cheat sheet is delivered to the lab over an encrypted channel.
6. The original report and the cheat sheet are retained per the BAA (default: 30 days, unless lab policy requires a shorter retention window).

LLM interactions

UNMIRI uses LLMs narrowly — for extraction edge cases and long-tail variant lookups. When an LLM is invoked, the prompt contains only de-identified variant data, never patient identifiers. UNMIRI uses Anthropic's HIPAA-ready API tier with a signed BAA. Anthropic does not train on UNMIRI's customer inputs or outputs on that tier.

The 2-page clinical output is not generated by an LLM. It is rendered by deterministic templates from structured data produced by the knowledge graph. This architectural minimization of LLM involvement in the clinical path is covered in depth in Building a HIPAA-Ready Architecture for Clinical Decision Support.

All PHI processing and storage occurs in US regions of UNMIRI's cloud providers. No PHI is processed or stored outside the United States. International data residency (EU, UK, APAC) is not currently supported; UNMIRI does not onboard labs outside the United States.

SOC-2

SOC-2 Type II is on UNMIRI's roadmap. Type I is targeted for completion in Q4 2026; Type II in Q2 2027. UNMIRI uses a continuous control monitoring solution to drive audit readiness.

Other frameworks

UNMIRI is aware of HITRUST, ISO 27001, and NIST 800-53. These are not currently maintained. For labs that require them, scope and prioritization is negotiated based on contract value and timeline.

Vulnerabilities

UNMIRI runs automated dependency scanning on every commit. Critical vulnerabilities are patched within 7 days; high within 14 days. UNMIRI performs annual penetration testing.

Incident response

UNMIRI maintains a documented Incident Response Plan covering detection, containment, eradication, recovery, and post-incident review. Suspected security incidents can be reported to security@unmiri.com; UNMIRI responds within 24 hours.

For covered entities and their compliance teams, the following documents are available under NDA:

• HIPAA Policies and Procedures
• Security Risk Analysis summary
• Subprocessor list with BAA status
• Vulnerability scanning reports (redacted)
• Penetration test summary
• Business Continuity and Disaster Recovery Plan
• Employee training records (HIPAA + security awareness)

To request: email compliance@unmiri.com with your role, organization, and the specific documents needed.

If you believe you have identified a security vulnerability in UNMIRI's systems, please email security@unmiri.com. UNMIRI acknowledges reports within 48 hours and provides a status update within 7 days. UNMIRI is working toward a formal bug bounty program; in the interim, UNMIRI recognizes researchers publicly (with permission) for material disclosures.