Skip to main content
HEDIS 2026 Season: Measurement year is underway — align your quality program now.Get started →

Security & Compliance

HIPAA engineered from day one. Security evidence provided, not promised.

Security posture

Enterprise-grade security across every layer of the platform.

HIPAA Compliance

Engineered

Built into architecture, not bolted on after the fact.

CVE Remediation

Active

Pre-NVD CVE packets with burn-down tracking and evidence manifests.

ZAP Scanning

Every PR

OWASP ZAP scans run on every pull request before merge.

Audit Controls

100% Coverage

Every API call logged with resource type, action, user, and tenant.

Multi-Tenant Isolation

Database-Level

Tenant data isolated at the database query level. No cross-tenant access possible.

Infrastructure

Hardened

16-class operations orchestration with header security and rate limiting.

HIPAA compliance details

HDIM was designed from the ground up to meet HIPAA technical safeguard requirements. Compliance is architectural, not a checklist applied after development.

  • 164.312(a)(2)(iii) - Automatic Logoff
    15-minute idle timeout with audit logging. Session timeout differentiates automatic vs. explicit logout.
  • 164.312(b) - Audit Controls
    HTTP Audit Interceptor provides 100% API call coverage. Every access logged with user, resource, action, and duration.
  • 164.312(a)(1) - Access Control
    Role-based access (SUPER_ADMIN, ADMIN, EVALUATOR, ANALYST, VIEWER) with JWT authentication and gateway-trust architecture.
  • 164.312(e)(1) - Transmission Security
    TLS encryption on all data in transit. No-cache headers on all PHI responses.

Multi-tenant isolation

Every database query is filtered by tenant ID. There is no code path that can return data from one tenant to another.

Database layer
All queries include WHERE tenant_id = :tenantId. Enforced via Spring Data specifications.
API layer
X-Tenant-ID header required on every request. Validated at the gateway before reaching services.
Cache layer
Cache keys include tenant ID. TTL limited to 5 minutes for PHI data.
Audit layer
Tenant ID recorded on every audit event. Cross-tenant access attempts are logged and blocked.

Security scanning

Automated security scanning is integrated into the development workflow.

OWASP ZAP
Dynamic application security testing on every pull request.
CVE monitoring
Pre-NVD CVE packets with immutable evidence manifests and burn-down tracking.
Dependency scanning
Automated vulnerability detection across all dependencies.
ESLint security rules
Console.log banned in frontend to prevent PHI exposure in browser DevTools.
Schedule DemoStart Pilot