![Asset 2.svg]](https://help.truleo.co/hubfs/Asset%202.svg){kind=small}
HIPAA, medical records, and CJIS in TRULEO
TRULEO is built for law enforcement workflows and maintains CJIS-compliant security controls. Agencies sometimes ask how medical records and HIPAA relate to criminal justice data handled in TRULEO.
See CJIS-Compliant Data Security for TRULEO's security architecture.
Is TRULEO a HIPAA-covered system?
TRULEO is designed for criminal justice and law enforcement use, not as a healthcare provider's HIPAA-covered system of record. TRULEO does not enter into Business Associate Agreements (BAAs) as a healthcare data processor.
Agencies should treat medical records uploaded to TRULEO the same way they treat any sensitive case material — following department policy, CJIS requirements, and applicable state and federal rules for criminal justice information.
How should I handle medical records in cases?
Medical records (hospital reports, EMS run sheets, toxicology results, etc.) sometimes belong in an investigation. When uploading them:
- Upload medical records only when relevant to the case and authorized by your agency's policy.
- Apply the same access controls you use for other sensitive case files — limit sharing and use appropriate case permissions in Analyst.
- Do not upload medical records unrelated to an active investigation or outside your authorized scope.
- Follow your department's redaction and disclosure policies before sharing generated reports externally.
TRULEO can process medical record files as case evidence in Analyst when they are uploaded as supported document types (PDF, DOCX, etc.) — the same as any other case file.
How is this different from CJIS documents?
CJIS (Criminal Justice Information Services) covers criminal justice information handled by law enforcement agencies — incident reports, RMS records, BWC footage, and similar materials governed by FBI CJIS Security Policy.
HIPAA covers protected health information (PHI) held by covered entities and their business associates — hospitals, clinics, health insurers, and similar organizations.
Medical records in a criminal investigation may contain PHI. Your agency is responsible for ensuring that uploading, storing, and sharing those records in TRULEO complies with:
- CJIS Security Policy requirements for your agency
- Your department's policies on sensitive and medical information
- Any applicable HIPAA rules on how PHI may be used or disclosed in a law enforcement context
TRULEO cannot provide legal advice on your agency's HIPAA obligations.
Data security regardless of content type
All files uploaded to TRULEO — including medical records — are protected by the same platform security controls:
- Encryption in transit and at rest
- AWS GovCloud hosting
- CJIS-compliant infrastructure and policies
- Role-based access controls managed by your agency administrator
See CJIS-Compliant Data Security and How does TRULEO ensure security? for more detail.
TruAssist and medical information
TruAssist follows a zero data retention policy for conversational queries — wellness and policy questions are not stored or used to train AI models. This is separate from case files you deliberately upload to Analyst, which remain in your case until you delete them.
Do not paste unredacted medical record contents into TruAssist chat unless your agency policy permits it.
Questions?
Contact your agency's TRULEO administrator for department-specific guidance on handling medical records. For platform security questions, contact support@truleo.co.
Best practices
- Treat medical records as highly sensitive case material with restricted sharing.
- Follow your department's redaction policy before exporting or sharing AI-generated reports.
- Consult your agency's legal or compliance office for HIPAA questions specific to your jurisdiction.
- Prefer uploading final PDF reports rather than raw EMR exports when possible.