Security & compliance

One BAA. One audit scope.
No shared infrastructure.

Every TeleClinicOS deployment ships with HIPAA controls pre-configured. Your BAA is countersigned within 24 hours. Audit logs are immutable, tamper-evident, and available to your compliance team on demand.

HIPAA coveredSOC 2 Type II in progressHITRUST CSF alignedBAA ready in 24 hrs

Compliance matrix

What's covered, out of the box

Control	HIPAA	SOC 2	HITRUST
BAA execution (§164.308)	✓	✓	✓
PHI encryption at rest (AES-256)	✓	✓	✓
PHI encryption in transit (TLS 1.3)	✓	✓	✓
Unique user identification & access controls	✓	✓	✓
Automatic session timeout (15 min idle)	✓	✓	✓
Audit log — all PHI access events	✓	✓	✓
Emergency access procedure	✓	—	✓
Integrity controls (hash verification)	✓	✓	✓
Risk analysis documentation	✓	✓	✓
Workforce training records	✓	✓	✓
Disaster recovery + PITR backups	✓	✓	✓
Third-party pen test (annual)	—	✓	✓
Breach notification (72 hr) §164.404	✓	—	✓
Data retention + disposal policy	✓	✓	✓

Encryption

PHI encryption — at rest and in transit

At rest — AES-256-GCM

AlgorithmAES-256-GCM

Key managementAWS KMS (per-clinic CMK)

Key rotationAutomatic, 90-day cycle

Field-level encryptionSSN, DOB, diagnosis codes

StorageRDS + S3 — both encrypted

In transit — TLS 1.3

ProtocolTLS 1.3 (TLS 1.2 minimum)

Cipher suitesECDHE-ECDSA-AES256-GCM-SHA384

CertificateLet's Encrypt (auto-renewed)

HSTSmax-age=31536000; preload

Perfect forward secrecyEnabled (ECDHE)

Access control & identity

Who can touch PHI — and how

Single sign-on (SAML 2.0)

✓Okta, Azure AD, Google Workspace
✓Just-in-time (JIT) user provisioning
✓SCIM group sync for role assignment
✓SSO enforcement — no password bypass

Multi-factor authentication

✓TOTP (Google Authenticator, Authy)
✓WebAuthn / FIDO2 (hardware keys)
✓MFA required for all PHI access
✓MFA bypass requires admin approval + audit entry

Session & device controls

✓15-minute idle timeout (configurable)
✓IP allowlisting (CIDR ranges)
✓Device trust — MDM certificate verification
✓Concurrent session limit (configurable)

Role-based access control

✓Provider — full PHI + note signing
✓Biller — claims only, no clinical notes
✓Scheduler — calendar only
✓Admin — config only, no PHI
✓Audit-only — read-only logs

Audit logging

Every PHI access event — immutable

Every read, write, and delete on a PHI record produces an append-only audit log entry. Logs are shipped to a separate, write-once S3 bucket — your application cannot modify or delete them.

audit-log-sample.jsonlappend-only

{
  "ts": "2026-04-15T10:47:22.814Z",
  "event": "phi.read",
  "resource": "DocumentReference/doc-r9s0t1u2v3w4",
  "actor": {
    "id": "prac-l3m4n5o6p7q8",
    "name": "Dr. Sarah Kim",
    "role": "provider",
    "ip": "203.0.113.42",
    "session": "sess-z1x2y3w4"
  },
  "patient": "pat-00a1b2c3d4e5",
  "clinic": "harbor-psychiatry-sf",
  "outcome": "success",
  "sig": "sha256:a3f8c2d1e4b7..."
}

Business Associate Agreement (BAA)

Your BAA is countersigned within 24 hours of a signed order. The BAA covers TeleClinicOS core, AI Scribe (including the Azure OpenAI endpoint), video (Twilio), and all storage.

Turnaround≤ 24 hours

CoverageAll services under one BAA

Sub-processorsDisclosed, BAA chain verified

TermCoterminous with MSA

Incident response & breach notification

Our IRP follows NIST SP 800-61r2. HIPAA §164.404 requires notification within 60 days — we target 72 hours for any likely breach affecting your clinic.

Detection SLA≤ 4 hours (Datadog alerts)

Containment SLA≤ 1 hour for critical

Notification target72 hours (vs 60-day HIPAA min)

Tabletop exercisesQuarterly

Penetration testing

Annual third-party assessment

We commission an independent penetration test against our shared infrastructure annually, and against each new clinic VPC configuration before go-live. Findings are remediated before production deployment.

Q1 2026

Last external pen test

0 open

Findings — critical