Security & Compliance Overview
HIPAA Compliance Framework
Rosegard Health operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities. Our compliance program encompasses the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and the HITECH Act.
- Business Associate status: Rosegard Health acknowledges its obligations as a Business Associate and maintains compliance with 45 CFR Parts 160 and 164.
- BAA execution: A Business Associate Agreement is executed with each Covered Entity prior to any PHI being processed through PATFlow.
- Privacy Rule compliance: PHI is used and disclosed only as permitted by the applicable BAA and HIPAA Privacy Rule.
- Security Rule compliance: Administrative, technical, and physical safeguards are implemented in accordance with 45 CFR Part 164, Subpart C.
- Minimum necessary standard: Access to PHI is limited to the minimum necessary for users to perform their authorized functions.
- Risk assessments: Annual risk assessments are conducted to identify and mitigate threats to PHI; the most recent assessment was completed in March 2026.
Infrastructure & Hosting
PATFlow is hosted on Amazon Web Services (AWS), a HIPAA-eligible cloud infrastructure provider. AWS maintains SOC 1/2/3, ISO 27001, and FedRAMP compliance certifications. All HIPAA-eligible AWS services used by PATFlow are covered under our AWS Business Associate Agreement.
- Compute: AWS ECS Fargate (serverless containers) — no shared servers, no SSH access to production hosts.
- Region: US East (Ohio, us-east-2) — all data remains within the United States.
- Load balancing: AWS Application Load Balancer with ACM-managed TLS certificates.
- Database: Managed PostgreSQL with automated backups and encryption at rest.
- Email delivery: HIPAA-eligible email delivery provider (BAA in place) for transactional email communications.
- SMS delivery: HIPAA-eligible SMS/messaging provider (BAA in place) for transactional SMS/text messages.
- Container registry: AWS Elastic Container Registry (ECR) with image scanning.
Data Encryption
- In transit: TLS/HTTPS is enforced for all connections between users, the application, and third-party services. HTTP requests are automatically redirected to HTTPS.
- At rest: The PostgreSQL database uses AWS-managed encryption at rest (AES-256). Automated backups inherit the same encryption.
- Database connections: All connections between the application and the database use SSL.
- Password storage: User passwords are hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored or logged.
- Secrets management: API keys, database credentials, and other secrets are stored as encrypted environment variables — never in source code.
Access Controls
- Role-based access (RBAC): Independent facility roles (Administrator, Nurse, Anesthesia, Scheduling, Surgeon Office, and additional specialty roles as needed) control which features and data each user can access.
- Facility isolation: Users can only access data within their own facility. Cross-facility data access is not possible.
- Surgeon-linked visibility: Surgeon office users (PAs, staff) are linked to a specific surgeon and see only that surgeon's patients in QuickScreen and scheduling workflows, while maintaining individual audit trails.
- Single-session enforcement: Each user can have only one active session at a time. Logging in from a new device automatically invalidates the previous session.
- Session timeouts: Sessions automatically expire after 15 minutes of inactivity (idle timeout) and after 8 hours regardless of activity (absolute timeout).
- Multi-factor authentication: TOTP-based MFA is mandatory for all users, enforced at login. Backup recovery codes are provided during enrollment. MFA cannot be disabled by end users.
- Password policy: Minimum 8 characters with complexity requirements (uppercase, lowercase, numbers, special characters). Passwords expire every 90 days. Password history prevents reuse of previous passwords.
- Rate limiting: Authentication endpoints, API requests, and MFA attempts are rate-limited to prevent brute-force attacks.
Audit Logging
PATFlow maintains comprehensive, tamper-evident audit trails as required by HIPAA (45 CFR §164.312(b)):
- Tracked events: Logins, failed login attempts, case creation and updates, clinical assessments, data exports, administrative actions, QuickScreen submissions, override decisions, and access control events.
- Captured metadata: Each entry records user ID, email, action type, affected resource, IP address, user agent, timestamp, and contextual details.
- PHI-safe logging: Application logs automatically strip sensitive fields (patient names, dates of birth, contact information) before writing to log output.
- Correlation IDs: Every request is assigned a unique correlation ID, enabling end-to-end tracing for incident investigation.
- Access denial logging: Failed access attempts due to role restrictions or facility isolation are specifically logged for security monitoring.
- Retention: Audit logs are retained for a minimum of 6 years, consistent with the HIPAA documentation retention requirement (45 CFR §164.530(j)).
Data Isolation
- Row-level security (RLS): Database-level policies ensure that queries only return records belonging to the user's facility, regardless of application logic.
- Facility scoping: All clinical data (cases, submissions, notifications) is scoped to the facility that created it.
- Emergency access: In rare situations requiring cross-scope access, an emergency access mechanism requires a mandatory written justification and automatically expires after 60 minutes. All emergency access is audit-logged.
Application Security
- Security headers: Strict Content Security Policy (CSP), HTTP Strict Transport Security (HSTS with 1-year preload), X-Frame-Options (deny) to prevent clickjacking.
- CSRF protection: Authenticated state-changing requests require a valid CSRF token.
- Cookie security: Session cookies are HttpOnly, Secure, and SameSite=Strict.
- Permissions policy: Browser access to camera, microphone, and geolocation is explicitly disabled.
- Error handling: Error responses are sanitized to prevent information leakage. Emails, phone numbers, and PHI are redacted from error logs.
- Input validation: All API inputs are validated server-side using schema validation (Zod).
- Self-hosted assets: All fonts and static assets are self-hosted — no external CDN dependencies that could introduce third-party tracking.
Breach Notification
In compliance with the HIPAA Breach Notification Rule (45 CFR §§164.400-414) and the HITECH Act, Rosegard Health maintains documented breach notification procedures:
- Detection and assessment: Security incidents involving PHI are promptly identified, documented, and assessed to determine if a breach has occurred.
- Notification timeline: Affected Covered Entities are notified without unreasonable delay and no later than five (5) business days after discovery of a breach of unsecured PHI.
- Notification content: Notifications include the nature of the breach, types of PHI involved, steps taken to investigate and mitigate, and recommended protective actions.
- Mitigation: Rosegard Health takes immediate steps to mitigate harmful effects of any breach to the extent practicable.
- Documentation: All breach investigations and notifications are documented and retained for a minimum of 6 years.
To report a security incident or concern, contact security@rosegard.com immediately.
Data Retention & Disposal
- Retention period: Configurable per facility (default: 7 years, consistent with standard medical record retention guidelines).
- Audit log retention: Minimum 6 years, consistent with the HIPAA documentation retention requirement (45 CFR §164.530(j)).
- Soft delete: Expired records can be purged of clinical content while preserving the audit trail for compliance review.
- Hard delete: Complete removal of expired records is available after the retention period, with audit logging of the deletion event.
- BAA termination: Upon termination of a BAA, PHI is returned or destroyed in accordance with 45 CFR §164.504(e)(2)(ii)(I), except where retention is required by law.
- Retention reporting: Facilities can generate retention reports showing which records are approaching or past their retention date.
Disaster Recovery & Business Continuity
PATFlow's infrastructure is designed for reliability and rapid recovery as part of our HIPAA contingency plan (45 CFR §164.308(a)(7)):
- Automated health checks: The load balancer continuously monitors application health and routes traffic only to healthy instances.
- Auto-restart: Unhealthy containers are automatically stopped and replaced by AWS ECS.
- Database backups: Automated daily backups with point-in-time recovery capability.
- Infrastructure as code: The entire deployment pipeline is codified, enabling rapid re-deployment of the complete environment.
- Container image versioning: All deployment images are versioned and stored in ECR, allowing rollback to any previous version.
Business Associate Agreements
Rosegard Health executes a Business Associate Agreement (BAA) with each Covered Entity prior to any PHI being processed through PATFlow, as required by HIPAA (45 CFR §164.504(e)).
- AWS BAA: Amazon Web Services provides a BAA covering all HIPAA-eligible services used by PATFlow (ECS, RDS, ECR, ALB).
- Rosegard BAA: Rosegard Health executes a BAA with your organization prior to any PHI being processed through PATFlow.
- Sub-processor agreements: Data processing agreements and BAAs are established with sub-processors as part of onboarding. Current sub-processor BAA status is tracked in an internal register and available upon request.
To request a BAA or discuss compliance requirements, contact security@rosegard.com.
Compliance Documentation
Rosegard Health maintains the following compliance documentation, available upon request under NDA:
- HIPAA Risk Assessment
- Breach Notification Policy & Procedures
- Incident Response Plan
- Security Officer Designation
- Workforce Training Records
- Data Retention & Disposal Policy
- Business Associate Agreement (template)
- Sub-processor Register
For copies of any compliance documentation or to schedule a security review call, contact security@rosegard.com.
About PATFlow: PATFlow is a HIPAA-compliant clinical decision support platform for preoperative coordination. It uses a deterministic, guideline-cited reasoning engine — not generative AI — to support clinical decision-making. All clinical decisions remain the responsibility of the treating clinician. PATFlow does not replace independent clinical judgment.