Security & HIPAA Compliance

HIPAA-Compliant
by Design

Clinical documentation tools that handle PHI require more than a checkbox. ProDocNotes is built with HIPAA security requirements as foundational design constraints — not features added after the fact.

Create free account Notice of Privacy Practices →
Encrypted at rest & in transit
Mandatory MFA
HIPAA automatic logoff
Complete audit log
PHI-safe AI

Data protection

PHI protection at every layer

Every component of the ProDocNotes security architecture is designed to protect protected health information at the transport, storage, access, and application layers.

Encryption at rest and in transit

All patient documentation is stored in an encrypted database. Data in transit is protected by TLS. HTTPS is enforced via HTTP Strict Transport Security (HSTS) with a two-year policy and subdomain coverage.

Mandatory multi-factor authentication

MFA is required for all accounts — not optional, not a premium feature. Every physician account must have a second factor verified before accessing patient documentation. Access controls are enforced on every request.

HIPAA automatic logoff

HIPAA requires automatic logoff of inactive sessions to prevent unauthorized access to unattended workstations. ProDocNotes enforces an idle timeout with a warning countdown, then automatically signs you out — meeting the HIPAA technical safeguard requirement.

Complete audit trail

Every login event, note creation, note access, and session termination is recorded in a tamper-resistant audit log. Access history is available to account holders and to compliance administrators for audit purposes.

PHI-safe AI processing

The AI assistant is built with PHI safety guardrails as a design requirement. Patient information processed by the AI is not used for model training. AI processing is conducted under HIPAA-appropriate data handling conditions.

OWASP hardening & CSP headers

ProDocNotes applies Content Security Policy headers, CSRF protection, and principle-of-least-privilege data access on every request — implementing OWASP defense-in-depth standards throughout the application stack.

HIPAA technical safeguards

How ProDocNotes maps to HIPAA Security Rule requirements

The HIPAA Security Rule specifies required and addressable technical safeguards for covered entities and business associates. Here is how ProDocNotes implements each.

HIPAA Safeguard Status ProDocNotes Implementation
Access Control (§164.312(a)(1)) Implemented MFA enforced on all accounts; users access only their own documentation; principle of least privilege applied throughout.
Audit Controls (§164.312(b)) Implemented Complete audit log of all login events, note creation, note access, and session termination — tamper-resistant and available for review.
Integrity (§164.312(c)(1)) Implemented Encrypted storage protects data integrity. Access controls prevent unauthorized alteration.
Person or Entity Authentication (§164.312(d)) Implemented Mandatory multi-factor authentication for all accounts. No single-factor access to PHI.
Transmission Security (§164.312(e)(1)) Implemented TLS encryption for all data in transit. HTTPS enforced via HSTS (2-year policy, subdomain coverage).
Automatic Logoff (§164.312(a)(2)(iii)) Implemented Configurable idle session timeout with user warning before automatic logoff. All session events logged.
PHI Minimum Necessary (§164.514(d)) By design Users have access only to their own documentation. No cross-account PHI access.

Common questions

Frequently asked questions about security & compliance

Is ProDocNotes HIPAA-compliant?

ProDocNotes is designed and operated in compliance with HIPAA Security Rule and Privacy Rule requirements applicable to covered entities and business associates. Implemented technical safeguards include end-to-end encryption for data in transit and at rest, mandatory multi-factor authentication (MFA) for all accounts, automatic session timeout enforcing the HIPAA automatic logoff requirement, PHI-safe AI processing, and a complete audit trail of all login events, note creation, note access, and documentation actions.

Does ProDocNotes sign a Business Associate Agreement (BAA)?

Business Associate Agreement availability is determined on a case-by-case basis for healthcare organizations that require one under HIPAA. Contact us at [email protected] to discuss BAA requirements for your organization.

What happens to patient data entered into ProDocNotes?

Patient documentation you enter into ProDocNotes is stored encrypted, associated only with your account, and is not shared with third parties. ProDocNotes does not sell, license, or use your clinical documentation data for advertising or analytics purposes. Your documentation is your data.

How does the automatic session timeout work?

HIPAA requires covered entities to implement automatic logoff to prevent unauthorized access to systems left unattended. ProDocNotes enforces an idle session timeout that shows a warning countdown before signing you out automatically. The timeout is applied to all sessions, and all session events are recorded in the audit log.

Is the AI assistant safe to use with patient information?

Yes. The ProDocNotes AI assistant is built with PHI safety guardrails as a design requirement, not a later addition. Patient information processed by the AI assistant is not used for AI model training. AI processing is conducted under HIPAA-appropriate data handling conditions.

Have a security or privacy question? Contact our security team at [email protected] or our privacy team at [email protected]. You can also review our Notice of Privacy Practices, Privacy Policy, and Terms of Use.

Documentation you can trust with PHI

HIPAA-compliant by design. Free account. Start documenting with the security your patients' data demands.

Create free account See SOAP note features →