Compliance

HIPAA compliance.
Built in from day one.

A complete resource on how every CareStackOS platform is built, secured, and maintained to meet HIPAA requirements — with the tool grades and certifications to back it up.

Compliance is built in. Not bolted on.

Every platform we build ships with the same compliance foundation — not as an add-on tier, not as a configuration option. It's the default.

HIPAA Compliant

All platforms, by default

BAA Provided

Business Associate Agreement included

SOC 2 Infrastructure

Hosted on SOC 2 Type II certified cloud

AES-256 Encryption

Data at rest and in transit

Audit Logging

Every action tracked and timestamped

RBAC

Role-based access controls on every platform

HIPAA compliance framework.

A rule-by-rule breakdown of how every CareStackOS platform addresses each HIPAA requirement.

RequirementHow We Address ItStatus
Minimum necessary standardRole-based access controls limit each user to only the data their role requires. Staff see only their patients; admins see all.Implemented
Patient rights to access PHIPatient portal provides direct access to records, notes, and documents. Download and export available.Implemented
Notice of Privacy PracticesNPP template provided and integrated into patient intake flow. Patients acknowledge digitally.Implemented
Disclosure accountingAll PHI disclosures are logged with timestamp, user, and purpose. Exportable for patient requests.Implemented

Infrastructure & tool grades.

Every tool and infrastructure component we use is evaluated for security grade, certifications, and HIPAA eligibility before it touches your platform.

Cloud Infrastructure

ComponentDetailsCertificationsGrade
Cloud Hosting ProviderSOC 2 Type II, ISO 27001, HIPAA-eligible infrastructure. 99.99% uptime SLA.
SOC 2 Type IIISO 27001HIPAA EligibleFedRAMP
Enterprise
CDN & Edge NetworkGlobal CDN with DDoS protection, WAF, and edge security. Data never cached at edge.
SOC 2 Type IIISO 27001
A+
Database LayerManaged database with automatic backups, point-in-time recovery, and encryption at rest.
SOC 2 Type IIHIPAA Eligible
A+

Encryption & Key Management

ComponentDetailsCertificationsGrade
Data Encryption (At Rest)AES-256-GCM encryption for all stored data. Keys rotated automatically every 90 days.
FIPS 140-2NIST SP 800-57
A+
Data Encryption (In Transit)TLS 1.3 enforced on all connections. TLS 1.0 and 1.1 disabled. HSTS with preloading.
TLS 1.3HSTS
A+
Key Management ServiceEnterprise KMS with hardware security modules (HSMs). No plaintext keys ever stored.
FIPS 140-2 Level 3SOC 2
A+

Access Control & Identity

ComponentDetailsCertificationsGrade
Authentication SystemMulti-factor authentication (MFA) available for all users. TOTP and SMS supported.
NIST SP 800-63B
A+
Role-Based Access ControlGranular RBAC with custom roles. Principle of least privilege enforced by default.
HIPAA §164.312(a)(1)
A+
Session ManagementSecure session tokens with configurable expiry. Automatic logoff after inactivity.
OWASP ASVS Level 2
A

Monitoring & Audit

ComponentDetailsCertificationsGrade
Audit Logging SystemImmutable audit logs for every PHI access event. Tamper-evident storage with cryptographic signing.
HIPAA §164.312(b)
A+
Security MonitoringReal-time anomaly detection, intrusion detection, and automated alerting for security events.
SOC 2 CC7.2
A
Vulnerability ScanningAutomated dependency scanning, SAST, and periodic third-party penetration testing.
OWASP Top 10
A

Communications & Integrations

ComponentDetailsCertificationsGrade
Email Service ProviderHIPAA-eligible email infrastructure with BAA. TLS-enforced delivery. PHI never in email body.
SOC 2 Type IIHIPAA Eligible
A
SMS / Messaging ProviderHIPAA-eligible SMS with BAA. Appointment reminders sent without PHI in message content.
SOC 2 Type IIHIPAA Eligible
A
Video / TelehealthHIPAA-eligible video infrastructure with BAA. End-to-end encrypted sessions.
HIPAA EligibleSOC 2 Type II
A

Backup & Disaster Recovery

ComponentDetailsCertificationsGrade
Database BackupsAutomated backups every 6 hours. Point-in-time recovery up to 35 days. Cross-region replication.
HIPAA §164.308(a)(7)
A+
Disaster Recovery PlanDocumented DRP with RTO < 4 hours and RPO < 6 hours. Tested quarterly.
HIPAA §164.308(a)(7)(ii)(C)
A
Business ContinuityMulti-region failover capability. Automated health checks with sub-minute failover.
SOC 2 A1.2
A

What we actually do to keep you compliant.

Not marketing language. Specific technical and operational controls we implement on every platform.

Encrypt everything by default

  • AES-256-GCM encryption for all data stored in databases and file storage
  • TLS 1.3 enforced on every connection — no unencrypted traffic permitted
  • Encryption keys managed via enterprise KMS with HSM-backed storage
  • Keys rotated automatically every 90 days with zero-downtime rotation
  • Database backups encrypted with separate keys from production data

Control who sees what

  • Role-based access control (RBAC) with custom roles for every practice
  • Principle of least privilege — users see only what their role requires
  • Multi-factor authentication (MFA) available for all user accounts
  • Automatic session expiry after configurable inactivity period
  • IP allowlisting available for practices with fixed office locations

Log everything that matters

  • Immutable audit log for every PHI access, modification, and deletion
  • Logs include user ID, timestamp, IP address, action type, and affected record
  • Tamper-evident log storage with cryptographic signing
  • Logs retained for minimum 6 years per HIPAA requirements
  • Exportable audit reports for compliance reviews and patient requests

Detect and respond to threats

  • Real-time anomaly detection for unusual access patterns
  • Automated alerts for failed login attempts, bulk data exports, and off-hours access
  • Intrusion detection system (IDS) monitoring all network traffic
  • Automated vulnerability scanning on every code deployment
  • Periodic third-party penetration testing with remediation tracking

Back up and recover

  • Automated database backups every 6 hours with integrity verification
  • Point-in-time recovery available for up to 35 days
  • Cross-region backup replication for geographic redundancy
  • Documented disaster recovery plan with RTO < 4 hours
  • Quarterly DR testing with documented results

Document and agree

  • Business Associate Agreement (BAA) signed with every client before access
  • BAAs in place with all infrastructure providers and subcontractors
  • Notice of Privacy Practices integrated into patient intake workflow
  • Breach response runbook with notification templates and timelines
  • Annual HIPAA training documentation for all CareStackOS staff
Business Associate Agreement

Your BAA is included.
Not an upgrade.

A signed Business Associate Agreement is required before any PHI touches your platform. We provide it as a standard part of every engagement — not as a premium add-on or enterprise-only feature.

The BAA covers all subcontractors and infrastructure providers we use to build and host your platform. You don't need to negotiate separate BAAs with cloud providers — ours covers the full stack.

Signed before access

No PHI is collected or processed until the BAA is executed. This is non-negotiable.

Covers all subcontractors

Our BAA extends to all infrastructure providers — cloud hosting, email, SMS, video — that handle your PHI.

Breach notification included

The BAA specifies our obligation to notify you within 30 days of discovering a breach.

Termination procedures

The BAA includes documented procedures for returning or destroying PHI upon contract termination.

Questions about compliance?

We're happy to walk through our compliance posture in detail during your discovery call. Bring your compliance officer.

Schedule a Compliance Review