CaseMgmt
HIPAA Compliant

Security & HIPAA Compliance

Protecting patient data is not just a feature — it's the foundation of everything we build. CaseMgmt is designed from the ground up to meet HIPAA requirements and industry security standards.

🏥
HIPAA
Compliant
🔐
256-bit
AES Encryption
☁️
AWS
BAA Signed
📋
Audit
Full Logging
🔒
TLS 1.2+
In Transit

Enterprise-grade security

Every layer of CaseMgmt is built with security in mind.

🔐

Encryption Everywhere

  • 256-bit AES encryption for all data at rest
  • TLS 1.2+ for all data in transit
  • Encrypted database connections
  • Secure password hashing with bcrypt
🛡️

Access Controls

  • Role-based access control (RBAC) with 5 roles plus per-user permission overrides
  • Multi-tenant data isolation — companies never see each other's data
  • Single-session enforcement — prevents concurrent login abuse
  • Automatic session timeout after 30 minutes of inactivity, with an 8-hour maximum session
📋

Audit & Monitoring

  • Audit logging of key user actions, including all PHI access
  • Login attempt tracking with IP and device capture
  • Data access logs for compliance reporting
  • Security event logging and periodic review
☁️

Infrastructure Security

  • Hosted on Amazon Web Services (AWS)
  • AWS BAA (Business Associate Agreement) in place
  • Isolated VPC networking
  • Automated backups with point-in-time recovery
🔒

Application Security

  • Content Security Policy (CSP) headers
  • CSRF and XSS protection
  • SQL injection prevention via parameterized queries
  • Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
📞

Secure Communications

  • HIPAA-compliant video calls via Amazon Chime SDK
  • Encrypted call recordings
  • Secure patient join links with unique tokens
  • AI transcription processed on HIPAA-eligible services

HIPAA Safeguards

CaseMgmt implements all three categories of HIPAA safeguards to protect electronic Protected Health Information (ePHI).

Administrative Safeguards

  • Security management process and risk analysis
  • Workforce access controls and authorization
  • Security awareness and training programs
  • Security incident procedures and response plans
  • Contingency planning and disaster recovery
  • Business Associate Agreements with all subprocessors

Physical Safeguards

  • AWS data centers with 24/7 physical security
  • Biometric access controls at hosting facilities
  • Redundant power and environmental controls
  • Hardware inventory and disposal procedures

Technical Safeguards

  • Unique user identification and authentication
  • Emergency access procedures
  • Automatic logoff after inactivity
  • Encryption of PHI at rest and in transit
  • Audit controls and activity logging
  • Integrity controls for electronic PHI

Business Associate Agreement

CaseMgmt provides a signed Business Associate Agreement (BAA) to all customers who manage Protected Health Information through our platform. Our BAA covers all aspects of HIPAA compliance including data handling, breach notification, and subcontractor management.

Request a BAASchedule a Demo

Security FAQ

Is CaseMgmt HIPAA compliant?

Yes. CaseMgmt is fully HIPAA compliant and implements all required administrative, physical, and technical safeguards. We provide a signed Business Associate Agreement (BAA) to all customers.

Where is my data stored?

All data is stored on Amazon Web Services (AWS) infrastructure within the United States. AWS maintains a signed BAA with us and meets all HIPAA requirements for hosting electronic PHI.

Is my data encrypted?

Yes. All data is encrypted at rest using 256-bit AES encryption and in transit using TLS 1.2 or higher. Database connections, backups, and file storage are all encrypted.

Can other companies see my data?

No. CaseMgmt uses strict multi-tenant data isolation. Each company's data is logically separated at the database level. Users can only access data belonging to their own organization.

What happens if there is a data breach?

We have a documented incident response plan. In accordance with HIPAA breach notification requirements, we notify affected customers of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. We notify account holders of non-PHI account security incidents within 72 hours of confirmation.

Do you perform security assessments?

Yes. We conduct security assessments, dependency vulnerability scanning, and code reviews, and we log security-relevant events for review.