Security
HIPAA technical safeguards, implemented with restraint.
This page exists for privacy officers and practice administrators who want the security posture in plain language instead of a long vendor questionnaire.
Encryption
Database storage, object storage, and application traffic are encrypted at rest and in transit. HTTP is redirected to HTTPS.
Access controls
Unique user IDs, role-based access, session timeout controls, and least-privilege infrastructure access are part of the operating baseline.
Audit controls
Task actions, authentication events, admin changes, and relevant exports are recorded in immutable audit history for review and evidence.
Infrastructure
Cloudflare edge protections, encrypted Neon Postgres, automated backups, and no third-party JavaScript in authenticated routes reduce operational risk.
HIPAA mapping
Technical safeguards at a glance.
| HIPAA requirement | Implementation |
|---|---|
| §164.312(a)(1) Access control | Role-based access, unique user IDs, MFA available |
| §164.312(a)(2)(i) Unique user identification | Required; shared accounts not permitted |
| §164.312(a)(2)(iii) Automatic logoff | Configurable session timeout |
| §164.312(a)(2)(iv) Encryption/decryption | AES-256 at rest and TLS 1.2+ in transit |
| §164.312(b) Audit controls | Immutable append-only audit log |
| §164.312(c)(1) Integrity | Database constraints, logging, and infrastructure controls |
| §164.312(d) Person authentication | Password authentication with MFA available |
| §164.312(e)(1) Transmission security | TLS enforced and HTTP redirected |
Operational assurance
Questions about our security posture?
Contact security@phiguard.app and we will respond to security inquiries within one business day.
Card required to start. We email you 3 days before the first automatic charge.