Security & HIPAA Compliance
We take the privacy and security of sensitive information seriously and design our platform with a security-first mindset. Our system is built to align with the requirements of the Health Insurance Portability and Accountability Act (HIPAA), ensuring that Protected Health Information (PHI) is handled with care, integrity, and confidentiality.
HIPAA-Aligned
Designed to support PHI handling, access controls, and compliance requirements.
Encrypted
Data encrypted in transit (HTTPS/TLS) and at rest using industry standards.
On-Staff Officer
Dedicated HIPAA-Compliance Security Officer overseeing our program.
HIPAA-Aligned Architecture
We follow best practices outlined under the Health Insurance Portability and Accountability Act and its associated security and privacy requirements. Our platform is designed to support:
- Secure handling of Protected Health Information (PHI)
- Role-based access controls
- Data minimization principles
- Controlled data environments depending on deployment mode
We offer flexible deployment models, including configurations where sensitive data can remain fully local to client devices when required.
Data Protection & Encryption
We implement industry-standard safeguards to protect data, including:
- Encryption of data in transit using HTTPS/TLS
- Encryption of sensitive data at rest (where applicable)
- Secure storage mechanisms on client devices for local data handling
- Strict separation between identifiable and non-identifiable data
Access Controls
We enforce strict access management practices across the entire platform:
- Authentication and authorization controls
- Principle of least privilege
- Session security and timeout controls
Only authorized users are permitted to access sensitive information, and access is limited to what is necessary for their role.
No Unauthorized Data Sharing
We do not sell, rent, or share Protected Health Information. Any use or disclosure of PHI is strictly limited to authorized purposes and governed by applicable agreements, including Business Associate Agreements (BAAs) where required.
Client-Controlled Data Options
For organizations requiring additional control, we support configurations where:
- Sensitive data remains stored locally on client-managed devices
- No PHI is transmitted to or stored on our servers
- Clients retain full control over patient-identifiable information during pilot or limited-use scenarios
Vendor & Infrastructure Security
When PHI is processed within our hosted environment, we work with trusted infrastructure providers that support HIPAA compliance. We execute Business Associate Agreements (BAAs) with all applicable vendors as required, ensuring your data remains protected at every layer of the stack.
Ongoing Security Practices
We continuously improve our security posture through:
- Internal security reviews and risk assessments
- Monitoring and logging of system activity (non-PHI environments)
- Secure development practices
- Regular updates and patch management
Responsibility & Transparency
We partner with our clients to ensure compliance responsibilities are clearly defined. While our platform is designed to support HIPAA requirements, proper configuration and usage by the client are also essential to maintaining compliance.
We welcome compliance reviews and are available to provide documentation or answer questions about our security posture at any time.
Questions or Compliance Documentation Requests?
If you have questions about our security practices, need a Business Associate Agreement (BAA), or require documentation for a compliance review, please reach out to our security team:
imisshtml LLC — BRDS Care Security Team
Email: info@imisshtml.com
Website: brds.care