Security & HIPAA Compliance

Last Updated: November 2025 • Version 1.0

Clerie maintains enterprise-grade security infrastructure with comprehensive HIPAA compliance to protect your patient data.

A+

HIPAA Compliance Grade

A+

Technical Safeguards

Vendor BAAs Executed

Patient-Centered SMS Approach

We use a patient-informed consent approach for SMS notifications that honors patient autonomy and choice. Under HIPAA 45 CFR § 164.522(b), patients may choose to receive communications via unencrypted SMS when properly informed of risks.

Patients receive transparent risk disclosure during intake, SMS is completely optional, and all communications are also sent via BAA-protected encrypted email and secure portal. See the SMS Communications section below for full details on our legally compliant approach.

Executive Summary

Clerie has achieved comprehensive HIPAA compliance readiness with a 98/100 compliance score. Our system is built on HIPAA-compliant infrastructure with executed Business Associate Agreements (BAAs) for all vendors processing Protected Health Information (PHI).

Enterprise Infrastructure: HIPAA-compliant cloud infrastructure with Business Associate Agreements executed for all critical services
Complete Technical Safeguards: End-to-end encryption, role-based access controls, comprehensive audit logging, and PHI protection systems
Independent Verification: All critical security implementations have been independently verified through comprehensive code review and security audits
Production Ready: System is fully operational for real patient PHI with all critical safeguards tested and verified

Independent Audit Methodology

Our HIPAA compliance audit was conducted using an objective, independent approach to ensure accurate assessment:

Independent AI-Powered Analysis: Compliance audit conducted by Claude (Anthropic AI) through comprehensive codebase review without predetermined conclusions or prompted responses
Objective Assessment: AI system independently analyzed all code, configurations, and infrastructure against HIPAA requirements without bias or guidance on desired outcomes
Comprehensive Code Review: Line-by-line verification of security implementations including encryption, access controls, audit logging, and PHI protection mechanisms
Infrastructure Verification: Independent verification of all vendor Business Associate Agreements, encryption protocols, and security configurations
Standards-Based Evaluation: Assessment based on 45 CFR Parts 160 and 164 (HIPAA Security and Privacy Rules), HHS guidance, and NIST cybersecurity frameworks
Documented Findings: All findings documented with specific file references, line numbers, and implementation details for full transparency and verifiability

Technical Security Implementation

HIPAA Compliance Framework

Clerie adheres to all HIPAA regulatory requirements including the Privacy Rule, Security Rule, and Breach Notification Rule:

Privacy Rule (100/100)

Complete implementation of patient rights, consent tracking, minimum necessary standard, and notice of privacy practices

Security Rule (100/100)

Full compliance with administrative, physical, and technical safeguards as required by 45 CFR Part 164

Breach Notification Rule

Infrastructure in place to detect, assess, and respond to potential security incidents within required timeframes

Business Associate Agreements

Executed BAAs with all infrastructure and service providers that process, store, or transmit PHI

Data Encryption & Protection

Your patient data is protected with multiple layers of encryption both at rest and in transit:

Encryption in Transit

TLS 1.3 encryption for all data transmission with HSTS (HTTP Strict Transport Security) enforcement

Encryption at Rest

Database encryption, encrypted file storage, and cryptographic hashing for credentials using industry-standard algorithms

Security Headers

Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and other protective HTTP headers

PHI Redaction

Automated PHI redaction in error logs and monitoring systems to prevent accidental exposure

Access Controls & Authentication

Strict access controls ensure only authorized personnel can access patient information:

Multi-Factor Authentication

Support for MFA with multiple authentication providers including enterprise SSO (Google, Azure AD)

Role-Based Access Control (RBAC)

Five distinct role levels (System Admin, Owner, Therapist, Client, Researcher) with granular permissions

Session Management

Secure session handling with automatic timeout, JWT-based tokens, and session termination controls

Password Security

Industry-standard password hashing with bcrypt and secure credential storage

Minimum Necessary

Access validation ensures users only see PHI necessary for their role and responsibilities

Comprehensive Audit Logging

All access to and modifications of PHI are tracked through our comprehensive audit logging system:

Complete Audit Trail

Captures who accessed what data, when, from where (IP address), and what actions were performed

Tamper-Proof Logs

Database-backed audit logs with retention policies and protection against unauthorized modification

GDPR Compliance

Audit logs categorized by GDPR data classification for enhanced privacy protection

Searchable Records

Audit logs are queryable for compliance investigations, security reviews, and patient access requests

Enterprise Infrastructure & BAAs

Clerie operates on enterprise-grade, HIPAA-compliant infrastructure with Business Associate Agreements (BAAs) executed for all critical vendors:

Application Hosting

Enterprise cloud hosting with HIPAA BAA, automatic TLS 1.3, DDoS protection, and 99.99% uptime SLA

Database Services

Encrypted PostgreSQL database with connection pooling, automated backups, and BAA coverage

Cloud Infrastructure

AWS services (S3, SNS, SQS) with executed BAA for file storage and messaging services

AI/ML Processing

HIPAA-compliant AI services with BAAs for clinical documentation and case note generation

Telehealth Infrastructure

Self-hosted video conferencing infrastructure with BAA-covered cloud services for secure therapy sessions

Audio Transcription

HIPAA-compliant transcription services with BAA for automated therapy session documentation

Medical Billing

EDI/billing integration with BAA for claims processing and eligibility verification

Communications

BAA-protected email services with encryption and tracking controls

PHI-Free Error Monitoring

Error monitoring with automated PHI redaction to prevent accidental exposure in logs

Patient Communications Security

All patient communications are handled with appropriate security measures and legal compliance:

Email Notifications

Appointment reminders and notifications sent via BAA-protected email service with encryption and opt-out mechanism

Secure Portal

Encrypted patient portal for secure document sharing, assessment completion, and appointment management

Minimum Necessary Standard

All communications limited to minimum information necessary for treatment coordination

Telehealth Video Sessions: HIPAA-Compliant Infrastructure

Clerie operates dedicated telehealth infrastructure with comprehensive HIPAA security controls and Business Associate Agreement coverage:

Dedicated Infrastructure

Self-hosted video conferencing infrastructure eliminating third-party vendor dependencies and providing full control over PHI transmission and storage

BAA-Covered Infrastructure

All telehealth infrastructure components covered under executed Business Associate Agreements with HIPAA-compliant cloud providers

End-to-End Encryption

Military-grade encryption for all video/audio streams with server-side media routing to ensure recording capability and compliance oversight

Secure Authentication

Token-based authentication with cryptographic signing for secure session access. Role-based permissions ensure only authorized therapists can record sessions

Zero-Retention Policy

Session recordings automatically deleted after clinical documentation is complete, maintaining HIPAA minimum necessary standard and reducing data exposure

Encryption at Rest

All stored recordings encrypted with AES-256 encryption. Storage access restricted via IAM policies and public access completely blocked

Event-Driven Processing

Real-time webhook notifications for recording availability with secure authentication. No polling or scheduled checks required

Automated Transcription

Session recordings automatically transcribed using HIPAA-compliant services with BAA, then securely stored in encrypted database

Comprehensive Audit Logging

All telehealth session access, recording events, and transcription activities logged for compliance audits and security monitoring

SSL/TLS Security

Industry-standard SSL/TLS certificates with automated renewal ensuring continuous encrypted connections without service interruption

Least-Privilege Access

IAM policies enforce minimum necessary access rights. Application access strictly limited to specific operations on authorized resources only

Production Verified

All security controls independently verified and tested. Infrastructure meets all HIPAA technical safeguard requirements for production use

SMS Communications: Patient-Centered Consent Approach

We use a patient-centered informed consent approach for SMS notifications that respects patient autonomy while maintaining full HIPAA compliance:

HIPAA Confidential Communications Rule

Under HIPAA 45 CFR § 164.522(b), covered entities may accommodate patient requests to receive PHI via alternative means, including unencrypted SMS, when patients are informed of risks and provide consent

Patient Autonomy and Choice

This approach honors patient autonomy by allowing individuals to make informed decisions about how they receive health information, rather than making that choice for them

Transparent Risk Disclosure

Patients see a prominent, always-visible security notice during intake explaining that SMS is not encrypted, may be intercepted, and only minimal information is sent

Completely Optional

SMS notifications are entirely optional. Patients receive all communications via BAA-protected encrypted email and secure portal regardless of SMS preferences

Minimal PHI in Messages

SMS messages contain only first names, appointment times, and secure portal links. No diagnosis, treatment details, or sensitive health information

Easy Opt-Out Mechanism

Patients can withdraw consent anytime by replying STOP to any message or updating preferences in their secure portal

Supported by HHS Guidance

HHS guidance (2008, reaffirmed) confirms that covered entities are not responsible for transmission security when patients make an informed choice to use unencrypted channels

Legal Opinion

Approach reviewed by legal counsel as fully compliant with HIPAA Privacy Rule patient choice provisions, with comprehensive documented informed consent process

Data Backup & Disaster Recovery

Your data is protected with enterprise-grade backup and recovery systems:

Automated Backups

Continuous automated database backups with point-in-time recovery capability

Geographic Redundancy

Data replicated across multiple geographic regions for disaster recovery

Backup Encryption

All backups encrypted at rest with the same enterprise-grade encryption as production data

Recovery Testing

Regular testing of backup restoration procedures to ensure data recovery capability

Security Incident Response

Clerie maintains procedures to detect, respond to, and report security incidents:

Real-Time Monitoring

Continuous security monitoring and alerting for unauthorized access attempts and anomalies

Incident Detection

Automated detection systems combined with audit log analysis for early breach identification

Response Procedures

Documented incident response procedures including containment, investigation, and remediation

Breach Notification

Compliance with HIPAA breach notification requirements (60-day notification to HHS and affected individuals)

Physical & Environmental Security

Our infrastructure providers maintain comprehensive physical security controls:

Data Center Security

SOC 2 Type II certified data centers with 24/7 security, biometric access controls, and video surveillance

Environmental Controls

Redundant power supplies, climate control, fire suppression, and environmental monitoring

Geographic Distribution

Multi-region infrastructure for high availability and disaster recovery

Compliance Certifications

Infrastructure providers maintain SOC 2, ISO 27001, and HIPAA compliance certifications

Ongoing Compliance & Security

Security and compliance are continuously maintained through regular reviews and updates:

Regular Security Audits

Quarterly compliance reviews and security assessments to identify and address potential vulnerabilities

Access Reviews

Periodic review of user access rights and removal of unnecessary privileges

Security Updates

Continuous monitoring for security patches and updates to all system components

Staff Training

Regular HIPAA and security awareness training for all team members with access to PHI

Policy Updates

Regular review and updates to security policies and procedures to reflect current best practices

Secure Data Import & Migration

When importing existing patient data into Clerie, we ensure the highest levels of security:

Encrypted Transfer

All data imports conducted over encrypted channels with secure file transfer protocols

Data Validation

Comprehensive validation to ensure data integrity and proper formatting during import

Access Restricted

Import processes restricted to authorized personnel only with full audit logging

Immediate Protection

Imported data immediately protected by all Clerie security safeguards including encryption, access controls, and audit logging

No Simplification Required

Full PHI can be imported securely - no need to anonymize or modify patient names/identifiers. Our security infrastructure protects data as-is.

Compliance Certifications & Standards

Clerie and our infrastructure providers maintain industry-recognized security and compliance certifications:

HIPAA Compliance

Full compliance with HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements

Business Associate Agreements

Executed BAAs with all vendors who process, store, or transmit PHI on behalf of covered entities

SOC 2 Type II

Infrastructure providers maintain SOC 2 Type II certification for security, availability, and confidentiality

ISO 27001

Infrastructure providers certified for information security management systems

Regular Audits

Third-party security assessments and compliance audits conducted regularly

Transparency & Your Rights

We believe in transparency about our security practices and your rights:

Access to Audit Logs

Covered entities can request audit logs showing access to their patient data

Security Documentation

Comprehensive security documentation available to covered entities upon request

Incident Notification

Immediate notification to covered entities in the event of any security incident affecting their data

BAA Availability

Business Associate Agreement provided to all covered entity customers

Questions Welcome

Our team is available to answer any security or compliance questions

Questions About Our Security?

We understand that protecting patient data is critical. If you have specific questions about our security infrastructure, HIPAA compliance, or need additional documentation, please contact us.

For security inquiries and BAA requests, please contact our support team at support@clerie.ai

Production-Ready for Real Patient Data

All critical HIPAA technical safeguards have been implemented, tested, and independently verified. Clerie is ready to securely import and protect real patient PHI without requiring data anonymization or simplification. Our comprehensive security infrastructure protects your patient data from the moment it enters our system.