Skip to content
HeepstersPractice
Start free trial

Security & HIPAA

Compliance is the floor. Trust is the goal.

Heepsters Practice was designed against the same security bar as the EMRs serving hospital systems — and built lean enough to ship at private-practice prices.

Pillar

HIPAA aligned

Administrative, physical, and technical safeguards mapped to 45 CFR 164. BAA available on every paid plan.

Pillar

Encrypted everywhere

AES-256 at rest. TLS 1.3 in transit. Database encryption keys managed via AWS KMS, rotated quarterly.

Pillar

AWS US infrastructure

us-east-1 and us-west-2. No PHI leaves the United States. Database backups encrypted, retained 30 days, point-in-time recovery.

Pillar

Identity & access

MFA required for all clinician and admin accounts. Role-based access. SSO (SAML/OIDC) on Group plan.

Pillar

Append-only audit log

Every read and write to a chart is logged with actor, timestamp, IP, and action. The audit log itself is immutable.

Pillar

Incident response

24/7 on-call. Documented IR runbook. Customer notification within 24 hours of confirmed PHI incident.

Pillar

SOC 2 Type II

Audit in progress with a Big 4 firm. Report and bridge letter available under NDA on request.

Pillar

Subprocessor list

Public, versioned subprocessor list. 30-day notice on any addition. BAA in place with every subprocessor handling PHI.

Data residency

All Protected Health Information (PHI) is stored and processed inside the United States. Our primary region is AWS us-east-1, with cross-region replication to us-west-2. PHI is never replicated outside the U.S. for any reason — including support, backup, or analytics.

Privacy posture on AI

All AI features (note draft, summary, prior-auth) are processed under our enterprise BAA with the underlying provider. PHI is not used to train any model. AI suggestions are drafts only — no auto-file, no auto-sign, no auto-bill. Every assist is recorded in the append-only activity log.

Subprocessors

We publish a versioned subprocessor list at /legal/baa#subprocessors. We give 30 days' notice on any new subprocessor that touches PHI. Every PHI-handling subprocessor is under BAA.

Vulnerability disclosure

Security researchers can email security@heepsterspractice.com. We respond within one business day. We do not pursue legal action against good-faith research. Hall of fame and bounties available.

Buy with confidence.

Security questions are a normal part of the conversation. Bring them — we'll answer in plain English.

Talk to salesRead the BAA