Security, Privacy, and Compliance
Your data is protected by a modern, HIPAA-ready infrastructure built for developers.
We treat every piece of PHI with the same level of rigor as a clinical system—while making security simple, transparent, and self-serve for engineering teams.
Security Commitment
Protecting patient health information is our highest operational priority. Our platform is designed from the ground up with encryption, auditability, isolation, and compliance controls that meet or exceed healthcare industry best practices.
Compliance Standards
Data Encryption
Data In Transit
All data is encrypted using TLS 1.2+ with modern cipher suites.
Data At Rest
All PHI and system data is encrypted using AES-256. Individual customer data is stored in logically isolated containers.
Key Management
Keys are managed using cloud-native KMS with automatic rotation. No personnel have direct access to raw encryption keys.
Access Controls
Least Privilege Policy
Internal access follows the principle of least privilege and is continuously reviewed.
Multi-Factor Authentication
All internal administrative interfaces require MFA.
Role-Based Access
Roles apply to both internal staff and customer accounts to minimize risk.
Just-In-Time Access
Temporary elevated access is granted only through audited workflows and expires automatically.
Audit Logging & Monitoring
End-to-End Audit Trails
All access to PHI—both internal and through customer APIs—is logged with timestamps, actor identity, and context.
Anomaly Detection
We use automated systems to detect anomalous activity, high-volume downloads, or suspicious request patterns.
Real-Time Alerts
Critical events trigger immediate alerts to our security operations team.
Data Handling Practices
No Human Access to PHI
Human access to raw patient data is prohibited except during customer-authorized support investigations under strict controls.
Secure Data Deletion
Customers can request deletion of PHI. All deletions are performed using NIST-compliant methods.
Full Data Export
Customers may export their data via API at any time without additional fees.
Business Associate Agreements
Standard BAA Included
All paid accounts (Starter and above) include our standard BAA. You can review and sign it during onboarding.
No Negotiation Needed: We provide a standard, attorney-reviewed BAA so you don't have to wait for custom legal negotiations to begin integrating.
Incident Response
Industry-Standard IR Plan
We maintain a documented Incident Response Plan that meets HIPAA and SOC 2 expectations.
24/7 Monitoring
Security and availability systems are continuously monitored.
Customer Notification
If any incident impacting your data occurs, we follow HIPAA breach notification rules.
Vendor & Subprocessor Security
- Restricted Vendor List: We only use vendors who meet strict security requirements and sign BAAs or DPAs as appropriate.
- Annual Security Review: All subprocessors undergo annual review for compliance posture and security controls.
- Published Subprocessor List: You can view our always-up-to-date list of subprocessors.
Your Responsibilities
To maintain security, customers must:
- Store and use API keys securely
- Configure access based on roles
- Implement secure application practices
- Follow their own obligations under HIPAA (if applicable)
We provide guidance and best practices as part of onboarding.
Your Authentication Status
Contact Security Team
If you have a security concern, vulnerability report, or compliance question, contact:
security@accesshealthdata.comWe respond within one business day.