cAIre

Security & HIPAA

Built for protected health information from day one.

HIPAA compliance is a process, not a checkbox — and it covers technology, policy and people. cAIre is engineered so the technology layer never gets in the way of a clinic operating compliantly.

Technical safeguards

  • Row-level isolation

    Every patient record is scoped to a single clinic by database-level policy. A clinician at clinic A literally cannot read clinic B's data — even if our code had a bug.

  • Encryption everywhere

    TLS 1.2+ in transit. AES-256 at rest. Encrypted backups. Photos and documents stored in private buckets with short-lived signed URLs.

  • Authentication

    Email/password with strong password rules and HIBP leaked-password checks. Google sign-in. Optional SSO for larger clinics.

  • Audit trail

    Every access to a patient record is logged. Owners can see who saw what, when, from where.

  • Least privilege

    Three roles per clinic: owner, clinician, staff. Each scoped to only what they need.

  • No PHI in URLs or logs

    Patient identifiers don't appear in URLs, error logs, or analytics. PHI never leaves the controlled environment.

Administrative

  • Business Associate Agreement

    BAA available for US clinics under HIPAA. Data processing agreement available for UK and EU clinics under GDPR.

  • Data residency

    Choose where your clinic's data lives — US or EU regions.

  • Breach notification

    Documented incident-response plan with defined notification windows.

  • Vendor management

    All subprocessors listed publicly. No data sold or shared with advertisers, ever.

cAIre is a tool. HIPAA compliance for a clinic also depends on your own policies, training and physical safeguards. We provide templates and a security review with every founding clinic.

Request our security pack