Home / Security & compliance

Trust center

Certs are the signal. Architecture is the proof.

An honest security page: what we are built on, what is attested today, what is in progress, and what is on the roadmap — nothing dressed up.

Request our security packet Compliance matrix
Compliance and trust shield matrix A central trust shield surrounded by a matrix of compliance frameworks, each tagged with its status: architected-in for HIPAA, in-progress for SOC 2 Type II and ONC certification, and built-in for EPCS, TEFCA, CMS-0057-F, 42 CFR Part 2, and WCAG 2.2 AA. Compliance is the product floor architecture first, attestations stated plainly HIPAAarchitected-in · BAAs ready SOC 2 Type IIaudit in progress ONC §170.315certification in progress EPCS · 21 CFR 1311IAL2/AAL2 flow built TEFCAQHIN sub-participant CMS-0057-FPAS + Provider Access 42 CFR Part 2API-layer consent gating 21st C. CuresVDT + SMART on FHIR WCAG 2.2 AArelease gate · 0 P0/P1

Architecture-level trust

Security features your patients can actually see.

Read-access audit on every chart view

Every read of a patient chart writes an audit entry with the full authorization chain — who viewed, under what authority, when. And the patient can see the trail in their portal. Tamper-resistant, immune to soft-delete.

Consent-gated sensitive categories

Mental health, substance use (42 CFR Part 2), HIV, genetic, and reproductive-health data each carry an independent consent flag, enforced at the API layer — not hidden, not overexposed, gated.

Clinical-global, operational-isolated

Clinical facts belong to the patient and are global across consented practices with source-org attribution. Operational data — schedules, claims, queues — is partition-key isolated per practice. Practice A never sees practice B's billing.

Patients are users

One identity model for clinicians and patients means one authorization system, one audit system, and no “patient view” shortcut that quietly skips the access controls.

Versioned everything

Notes, forms, CDS rules, and payer rules carry version histories. Corrections are versioned events that preserve the original — the audit trail never loses the past.

Self-serve data egress

Full-practice export — charts, schedules, AR — is a product feature, not a support case. Vendors who make leaving hard are telling you something. We'd rather earn the renewal.

Compliance matrix

Status, stated plainly.

Framework / ruleWhat it coversrev.health status
HIPAA (Privacy, Security, Breach Notification)PHI safeguards, BAAs, breach dutiesArchitected-in; BAAs available; tracking the anticipated Security Rule update
SOC 2 Type IIIndependent controls attestationAudit in progress — report available to customers under NDA on completion
ONC §170.315 / HTI-1Certified EHR technology: USCDI v3, DSI transparency, e(1) VDT, auditable eventsCertification in progress with an ONC-ACB; built to criteria from day one
EPCS — DEA 21 CFR 1311Two-factor controlled-substance prescribingIAL2/AAL2/FIPS 140-2 flow implemented; third-party certification audit on the Surescripts path
TEFCANationwide record exchangeConnecting as a QHIN sub-participant via QHIN partnership
CMS-0057-FPayer prior-auth and Provider Access APIs (Jan 2027)Da Vinci PAS submission and Provider Access API consumption built in
42 CFR Part 2Substance-use-disorder record confidentialityConsent gating enforced at the API layer, per category
21st Century Cures / information blockingPatient access, no blockingVDT + SMART on FHIR app launch as first-class product surfaces
WCAG 2.2 AAAccessibilityRelease gate: automated + manual audit, zero P0/P1 issues policy
TCPAPatient SMS consentOpt-in tracking on every reminder and waitlist message

We publish status honestly because our buyers run diligence — and because a vendor that fudges a cert page has told you everything about how they'll handle your audit logs. The industry has seen where that road ends.

Platform safeguards

The standard hard things, done.

Encryption

TLS 1.2+ in transit, AES-256 at rest, managed key rotation.

Access control

Role-based access with least-privilege defaults; MFA for all staff accounts; step-up auth for EPCS.

Cloud isolation

Per-practice partition-key isolation for operational data on managed cloud infrastructure.

Audit retention

Configurable per-state retention on transaction logs, including raw 270/271/278 payloads with trace numbers.

AI guardrails

Clinician-in-the-loop on every AI output; DSI model cards in-context; hallucination-rate audits as a release gate.

Consent capture

Recording consent before ambient capture, recorded verbally and affirmed in the chart, every visit.

Vendor diligence

Clearinghouse, HISP, and network partners held to BAA + security review; failover paths for degraded partners.

Incident readiness

Breach-notification SLAs and indemnity language in the master agreement — in writing, before you sign.

Run your diligence. We'll keep up.

Request the security packet — architecture overview, compliance roadmap, sample BAA, and audit-log demonstration.

Request the security packet