Compliance & Security
Built for regulated clinical environments
Clinical trial data sits at the intersection of HIPAA-governed PHI and GCP-governed source data requirements. Patientrig is designed with both in mind: HIPAA-aligned data handling, 21 CFR Part 11 aware audit logging, and BAA execution with every clinical site customer. We are pursuing SOC 2 Type I certification — not currently certified. These are design commitments, not certifications.
COMPLIANCE PILLARS
Design Approach
How Patientrig handles regulated data
HIPAA-aligned architecture
Designed for PHI handling, not built for it later
Patientrig is built with HIPAA alignment as a design requirement, not a retrofit. Data access is scoped to the specific FHIR resources required for protocol matching. The minimum-necessary principle is enforced at query level — Patientrig does not request Observation resources unrelated to the active protocol criteria. PHI is not retained beyond the active matching session without explicit site configuration. We execute Business Associate Agreements with all clinical site customers before any EHR access is configured.
Note: "HIPAA certified" is not a real certification. There is no government-issued HIPAA certification. What exists is HIPAA-aligned design and operational practices, which is what we implement and describe here.
- BAA executed with every clinical site customer before any EHR access is established
- Minimum-necessary data access enforced at FHIR query level — no over-broad resource requests
- PHI encrypted in transit via TLS 1.3 and at rest via AES-256
- Sub-processor list available to BAA signatories on request — no hidden third-party PHI access
PHI Data Flow
21 CFR Part 11
Audit-aware design for regulated data capture
Patientrig adopts a 21 CFR Part 11 aware design approach: all coordinator actions, scoring runs, and candidate status changes are logged with timestamps, user identity, and action type. Logs are append-only and cannot be modified through the application layer.
- Immutable audit log per protocol, exportable as CSV or JSON
- User-level access scoping — coordinators see only their assigned protocols
- Timestamped records satisfy GCP documentation requirements for sponsor audits
- Electronic signature fields available for pre-screen confirmation workflow
2025-09-14 08:31:02Z user:kmercer
action: PROTOCOL_QUERY
protocol: NCT2024-0417
result: 47 candidates ranked
2025-09-14 09:14:55Z user:kmercer
action: CANDIDATE_STATUS_UPDATE
patient_ref: PT-0041
from: pre_screen_ready
to: outreach_initiated
2025-09-14 09:17:30Z user:kmercer
action: CANDIDATE_STATUS_UPDATE
patient_ref: PT-0089
from: pre_screen_ready
to: outreach_initiatedSecurity Posture
Security controls at every layer
SOC 2 — In Progress
We are currently pursuing SOC 2 Type I certification. Controls covering security, availability, and confidentiality are being documented and assessed by our external auditor.
Encryption
All data in transit is encrypted via TLS 1.3. All data at rest is encrypted with AES-256. API keys are hashed at storage and never exposed after initial issuance.
Access Control
Role-based access control scopes coordinators, PIs, and site administrators to their respective data. Cross-site access is prevented at the data layer, not just the UI.
Vulnerability Management
Automated dependency scanning runs on every code push. Production infrastructure undergoes quarterly penetration testing by an independent security firm.
Infrastructure
Hosted on HIPAA-eligible AWS infrastructure in US-EAST. Backups are encrypted and retained for 30 days. RPO < 4 hours, RTO < 8 hours.
Vendor Assessment
Third-party sub-processors are assessed for HIPAA eligibility before use. A current list of sub-processors is available to BAA signatories upon request.
Questions about our controls?
Talk to our team about your site's compliance requirements.
We can provide our BAA, share our current security documentation, and discuss your institution's data governance requirements before you commit to a pilot.