Security & HIPAA

Compliance built into the architecture, not bolted on after.

ClinRevOS handles Protected Health Information from the first 835 file forward. Security and HIPAA compliance are not features we layered on, they are the operating posture the platform was built around from the first line of code.

Our commitments

Four non-negotiable principles that shape every technical and operational decision.

i.

No PHI without a signed BAA

No remittance file moves into ClinRevOS until a Business Associate Agreement is executed between your practice and ClinRevOS Inc. Standard policy, no exceptions, no soft starts.

ii.

Minimum necessary, always

We process the data we need to surface variance and recoverable revenue. We do not ingest data outside the scope of the engagement, and we do not retain data longer than the operational need.

iii.

Encryption at rest and in transit

All PHI is encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption keys are managed separately from the data they protect.

iv.

Audit trail by default

Every access, upload, query, and export is logged with user, timestamp, and action. Audit logs are retained for a minimum of six years per HIPAA requirements and are tamper-evident.

HIPAA framework

What we mean when we say HIPAA compliant.

HIPAA compliance is a posture, not a certificate. We operate as a Business Associate to your practice and apply the Privacy, Security, and Breach Notification Rules to every data flow inside the platform.

Business Associate standard
ClinRevOS Inc. operates as a Business Associate under 45 CFR Part 164. A signed BAA is executed before any PHI is exchanged. Our BAA covers permitted uses and disclosures, safeguards, subcontractor obligations, breach notification timing, and termination return-of-data requirements.
Privacy Rule
PHI is used only for the permitted purposes defined in the BAA: variance detection, payer rate analysis, recovery workflow, and the de-identified analytics that improve the platform. No marketing use, no sale of data, no disclosure outside the engagement without your written authorization.
Security Rule
We implement the administrative, physical, and technical safeguards required under the HIPAA Security Rule. Access is role-based and least-privilege. Authentication uses industry-standard methods including SSO and multi-factor where available. Workstation, transmission, and device controls follow current NIST-aligned guidance.
Breach Notification
In the unlikely event of a breach involving PHI, ClinRevOS will notify the affected covered entity without unreasonable delay and within the timeframes required by the HIPAA Breach Notification Rule. Our incident response procedures are documented and tested.
De-identification standard
Aggregated, de-identified analytics used to improve the platform follow the HIPAA Safe Harbor method under 45 CFR 164.514(b). All eighteen identifiers are removed, and there is no actual knowledge that the residual data could be used alone or in combination to identify an individual.
Technical safeguards

The boring infrastructure work that keeps your data safe.

Hosting & infrastructure
ClinRevOS is hosted on enterprise-grade cloud infrastructure with a signed Business Associate Agreement covering the underlying platform. Compute, storage, and network resources are dedicated to ClinRevOS workloads and isolated from any non-healthcare environment.
Encryption
Data in transit is encrypted using TLS 1.2 or higher with modern cipher suites. Data at rest is encrypted using AES-256. Encryption keys are managed in a dedicated key management service separate from the data, with rotation policies and access controls.
Access control
Authentication requires strong passwords and supports multi-factor authentication. Authorization is role-based and follows least-privilege principles. Internal ClinRevOS staff access to client environments is restricted to named individuals with documented operational need, time-bound where possible, and fully audit-logged.
Audit logging
Every authentication, data access, query, upload, and export is recorded with user identity, timestamp, source, and action. Logs are retained for a minimum of six years, written to tamper-evident storage, and available to clients on request for their own compliance reviews.
Backup & recovery
Encrypted backups are taken on a regular schedule and stored in geographically separate locations. Recovery procedures are documented and tested. Backups are encrypted with the same standard as live data and access to backup systems follows the same least-privilege model.
Vendor & subcontractor management
Any subcontractor that touches PHI on our behalf signs a BAA with ClinRevOS Inc. before access is granted. Our development partners, hosting providers, and any third party in the PHI processing chain are covered under written agreements with HIPAA-aligned terms.
"The goal is not to pass an audit. The goal is to make audits boring."
Operational practices

How we work, day to day.

Workforce
All ClinRevOS personnel and contractors with access to PHI sign confidentiality agreements and complete HIPAA training before access is granted. Access is reviewed periodically and revoked promptly on role change or departure.
Incident response
Documented incident response procedures cover detection, containment, eradication, recovery, and post-incident review. Suspected security events trigger immediate review by the security lead and, where required, client notification within HIPAA breach notification timeframes.
Data retention & return
PHI is retained only as long as needed to fulfill the BAA and the operational engagement. On termination, PHI is returned or securely destroyed at the client's direction, with written confirmation provided.
Change management
All changes to the production environment follow documented review and approval procedures. Code changes that touch PHI handling paths receive heightened review. Production access is separated from development.
Compliance roadmap

Where we are, and where we are going.

We believe in honesty about compliance posture. The list below reflects current capability and the work in flight, not aspirational claims.

Current

HIPAA-aligned posture from day one

BAA standard with every client, encryption at rest and in transit, role-based access, audit logging, documented incident response procedures, de-identification under Safe Harbor method.

In progress

SOC 2 Type I readiness

Control documentation, evidence collection, and a planned audit timeline targeting initial Type I attestation within twelve months of platform launch. We will share progress and the final report with clients under NDA on request.

Future

SOC 2 Type II & HITRUST

Type II attestation following Type I, with HITRUST CSF certification on the roadmap for clients with elevated procurement standards. We will scope these based on client demand and regulatory environment.

Diligence & questions

Procurement, IT, or compliance team needs more detail?

We are happy to share our BAA template, security questionnaire responses, and roadmap detail under NDA. Send us a note and we will route the right materials.

Request diligence packet Back to platform