Back to Support CenterLast updated: Apr 10, 2026

Security & Privacy

HIPAA Compliance overview and encryption standards

Security is not an add-on at HealNote; it's the foundation of everything we build. Our infrastructure is designed to exceed HIPAA (Health Insurance Portability and Accountability Act) requirements, ensuring that patient Protected Health Information (PHI) is always handled with the highest level of care.

Architecture of Trust

HealNote uses a zero-trust architecture. This means that every request, whether internal or external, must be fully authenticated and authorized. Data is siloed at the infrastructure level, ensuring that one clinic's data is mathematically isolated from another.

We provide all our clinical partners with a signed Business Associate Agreement (BAA), codifying our commitment to the privacy and security of your patient data under federal law.

Compliance & Security FAQs

Yes. All patient data is encrypted at rest using AES-256encryption. All data in transit is protected by TLS 1.3with Perfect Forward Secrecy. We manage our own clinical key vault, meaning even infrastructure providers cannot read your files.
We maintain comprehensive, tamper-evident audit logs of every access attempt to any PHI. These logs track who accessed the record, when, and from where. These logs are available to clinic admins for compliance audits at any time.
Upon account termination, you can export all patient records in standard interoperable formats (such as FHIR). Following the transition period, we initiate a cryptographic erasure of your specific clinical vault, ensuring no residual data remains on our servers.
We host our clinical workloads on AWS GovCloud and dedicated EMEA-based regions (e.g., Frankfurt for EU users). We strictly adhere to data residency requirements, ensuring your data never leaves the regulatory jurisdiction your clinic operates in.

Reporting Security Vulnerabilities

We maintain an active Responsible Disclosure program. If you believe you have found a security vulnerability in the HealNote platform, please contact our security team at security@healnote.health immediately. We respond to all critical reports within 4 hours.