HIPAA Compliance & Security

practiceOPS is built from the ground up to meet the security, privacy, and compliance standards required by HIPAA for handling electronic Protected Health Information (ePHI).

Compliance Commitment

We maintain Business Associate Agreements (BAAs) with all sub-processors that handle ePHI. Our infrastructure is continuously monitored via automated weekly HIPAA audits that verify encryption, access controls, and data isolation.

Security Safeguards

Encryption at Rest & In Transit

All data transmitted between your browser and practiceOPS is encrypted via TLS 1.3 (HTTPS).
Database connections use verified SSL certificates with strict certificate validation.
Session cookies are signed with HMAC-SHA256 and are httpOnly — inaccessible to client-side scripts.
Passwords are hashed using scrypt with unique salts — never stored in plaintext.

Authentication & Access Control

Role-based access control (RBAC) with Admin, Supervisor, and Associate tiers.
Optional two-factor authentication (2FA) via SMS for all clinician logins.
Sessions expire after 8 hours — clinicians re-authenticate each workday.
Deleted or suspended accounts are immediately invalidated on every API request.

Multi-Tenant Data Isolation

Each practice's data is logically isolated — no practice can access another's records.
Every database query is scoped by practice ID at the connection layer.
Account exports contain only your practice's data, verified and audit-logged.

Audit Logging & Monitoring

All access to client records, notes, and billing data is logged with timestamps and user IDs.
Automated weekly HIPAA compliance audits verify: encryption configuration, session policies, auth guards, and access controls.
Critical audit failures trigger immediate alerts to the Data Protection Officer.

Infrastructure & Hosting

Hosted on Render — SOC 2 Type II certified, HIPAA BAA available.
Database on Neon Postgres — SOC 2 Type II certified with point-in-time recovery.
No on-premises servers. All infrastructure runs in secured, audited cloud data centers.
Rate limiting on all sensitive endpoints prevents brute-force and abuse attacks.

Minimum Necessary Standard

All database queries on Protected Health Information (PHI) use explicit column lists — no unnecessary data retrieval.
API responses return only the fields required for the requesting feature.
Server logs are prohibited from containing PHI — no client names, diagnoses, or session content in logs.

Communications Security

Email notifications contain billing data only (CPT codes, fees, dates) — never clinical content.
SMS reminders use generic templates: appointment time and clinician name only.
Audio recordings used for transcription are processed and never permanently stored.

Clinical Data Integrity

Crisis safety plans are write-once — they cannot be edited or deleted after creation.
Signed clinical notes require explicit unlock confirmation before editing.
Full practice data export is available at any time in ZIP format for record portability.

Sub-Processors & Certifications

Provider	Service	Certification
Render	Application Hosting	SOC 2 Type II
Neon	PostgreSQL Database	SOC 2 Type II
Stripe	Payment Processing	PCI DSS Level 1
Twilio	SMS & 2FA Verification	SOC 2 + HIPAA
Resend	Transactional Email	SOC 2
Upstash	Redis (Rate Limiting)	SOC 2

Incident Response

In the event of a suspected or confirmed breach, practiceOPS follows the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Affected individuals and the HHS Secretary will be notified within the mandated timeframes.

1Containment2Assessment3Notification4Remediation

Your Responsibilities as a Covered Entity

Execute a Business Associate Agreement (BAA) with Gritworks Collective before entering real client data.
Obtain informed consent from clients regarding the use of technology tools in their treatment.
Maintain physical and administrative safeguards for all devices running practiceOPS.
Train staff members on HIPAA-compliant use of practiceOPS and reporting of potential breaches.
Verify that AI-assisted transcription and documentation is reviewed before finalization.

Questions or BAA Requests

Contact our Privacy Officer at info@gritworks.io for BAA execution, security questions, or to report a potential incident.

Last updated: March 27, 2026 • This page describes the security posture of practiceOPS and does not constitute legal advice.

Security Safeguards

Encryption at Rest & In Transit

All data transmitted between your browser and practiceOPS is encrypted via TLS 1.3 (HTTPS).
Database connections use verified SSL certificates with strict certificate validation.
Session cookies are signed with HMAC-SHA256 and are httpOnly — inaccessible to client-side scripts.
Passwords are hashed using scrypt with unique salts — never stored in plaintext.

Authentication & Access Control

Role-based access control (RBAC) with Admin, Supervisor, and Associate tiers.
Optional two-factor authentication (2FA) via SMS for all clinician logins.
Sessions expire after 8 hours — clinicians re-authenticate each workday.
Deleted or suspended accounts are immediately invalidated on every API request.

Multi-Tenant Data Isolation

Each practice's data is logically isolated — no practice can access another's records.
Every database query is scoped by practice ID at the connection layer.
Account exports contain only your practice's data, verified and audit-logged.

Audit Logging & Monitoring

All access to client records, notes, and billing data is logged with timestamps and user IDs.
Automated weekly HIPAA compliance audits verify: encryption configuration, session policies, auth guards, and access controls.
Critical audit failures trigger immediate alerts to the Data Protection Officer.

Infrastructure & Hosting

Hosted on Render — SOC 2 Type II certified, HIPAA BAA available.
Database on Neon Postgres — SOC 2 Type II certified with point-in-time recovery.
No on-premises servers. All infrastructure runs in secured, audited cloud data centers.
Rate limiting on all sensitive endpoints prevents brute-force and abuse attacks.

Minimum Necessary Standard

All database queries on Protected Health Information (PHI) use explicit column lists — no unnecessary data retrieval.
API responses return only the fields required for the requesting feature.
Server logs are prohibited from containing PHI — no client names, diagnoses, or session content in logs.

Communications Security

Email notifications contain billing data only (CPT codes, fees, dates) — never clinical content.
SMS reminders use generic templates: appointment time and clinician name only.
Audio recordings used for transcription are processed and never permanently stored.

Clinical Data Integrity

Crisis safety plans are write-once — they cannot be edited or deleted after creation.
Signed clinical notes require explicit unlock confirmation before editing.
Full practice data export is available at any time in ZIP format for record portability.

Provider

Service

Certification

Render

Application Hosting

SOC 2 Type II

Neon

PostgreSQL Database

SOC 2 Type II

Stripe

Payment Processing

PCI DSS Level 1

Twilio

SMS & 2FA Verification

SOC 2 + HIPAA

Resend

Transactional Email

SOC 2

Upstash

Redis (Rate Limiting)

SOC 2

Your Responsibilities as a Covered Entity

Execute a Business Associate Agreement (BAA) with Gritworks Collective before entering real client data.
Obtain informed consent from clients regarding the use of technology tools in their treatment.
Maintain physical and administrative safeguards for all devices running practiceOPS.
Train staff members on HIPAA-compliant use of practiceOPS and reporting of potential breaches.
Verify that AI-assisted transcription and documentation is reviewed before finalization.

Questions or BAA Requests

Contact our Privacy Officer at info@gritworks.io for BAA execution, security questions, or to report a potential incident.

Last updated: March 27, 2026 • This page describes the security posture of practiceOPS and does not constitute legal advice.