Protected health information, protected by design
OrganAlert treats PHI as the hardest constraint in the system. The controls below are implemented in the product today — not a roadmap. We are happy to walk a security team through them and to execute a Business Associate Agreement before any production use.
Data protection
PHI is encrypted before it reaches the database and scrubbable on the way out.
Encryption at rest (AES-256-GCM)
Every PHI field is encrypted at the application layer with per-tenant, HKDF-derived keys and a per-value IV. The database stores only versioned ciphertext — never plaintext names, MRNs, DOBs, or clinical narratives.
Encryption in transit
All traffic is served over TLS with HSTS (preload). Strict transport, frame-deny, no-sniff, and a restrictive Content-Security-Policy are enforced at the edge.
De-identification on demand
Reports and relational exports can be generated in a Safe-Harbor-scrubbed mode that removes names, dates, timestamps, facility names, and imaging links for analytics and program review.
AI & PHI
A single, BAA-covered path is the only way data reaches a model — enforced in code.
BAA-covered AI only
Structured extraction runs exclusively through AWS Bedrock (Claude), which is covered by a Business Associate Agreement. The direct third-party API path has been removed from the codebase and an automated test fails the build if it ever returns.
Local-only fallback
A deterministic local parser can extract structured data entirely on-box, with no network egress, when AI extraction is not desired.
Access & accountability
Least-privilege access, hard tenant boundaries, and a tamper-evident record of everything.
Tenant isolation (defense in depth)
Every row is scoped to an organization. Isolation is enforced both by an application-layer filter keyed on the verified JWT and by Postgres row-level security — so a query is filtered even if application logic is bypassed.
Role-based access control
Each endpoint declares the clinical roles allowed to reach it. Roles map to read / write / admin capability tiers, verified against the identity service on every request.
Append-only audit log
Security-relevant access is recorded to an append-only log that database triggers forbid updating or deleting. IP addresses are pseudonymized (hashed) before storage.
Session timeouts
Sessions enforce a 30-minute idle and 8-hour absolute lifetime; expiry destroys the session and records the event.
A PHI-free front-end
Our public website and application shell are static views with no access to clinical data. PHI lives only in the encrypted, BAA-covered backend; the browser talks to that backend directly over an authenticated, access-controlled API. The marketing pages you are reading never touch protected health information.
Reviewing OrganAlert for your program?
We can share our full security package and BAA, and answer your security and privacy teams’ questions.