HIPAA & Compliance

Effective date: June 1, 2026

Record Synergy is purpose-built for healthcare. We act as a HIPAA Business Associate to our customers and apply administrative, technical, and physical safeguards across the platform that match the sensitivity of the data we process.

Business Associate Agreement

Record Synergy will execute a Business Associate Agreement (BAA) with each Covered Entity customer before any protected health information (PHI) is processed. The BAA addresses permitted uses and disclosures, safeguards, subcontractor flow-down, breach notification, and termination obligations. Custom BAA terms are available on Enterprise plans.

Administrative safeguards

  • Designated security and privacy officers
  • Documented HIPAA Security Rule policies and procedures, reviewed annually
  • Workforce HIPAA and security training at hire and annually thereafter
  • Role-based access provisioning and quarterly access reviews
  • Documented incident response and breach notification procedures
  • Risk assessments conducted at least annually

Technical safeguards

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256 for databases, object storage, and backups
  • Per-user authentication; SSO and multi-factor authentication available
  • Role-based access control with the principle of least privilege
  • Comprehensive audit logging of access to PHI and administrative actions
  • Automatic session timeouts and account-lockout protections
  • Continuous vulnerability scanning and a documented patch-management process

Physical safeguards

Production systems are hosted in SOC 2 Type II audited data center facilities operated by our cloud providers, with 24×7 monitoring, biometric access controls, redundant power, and environmental controls. We do not store production PHI on workstations or removable media.

Subcontractors and vendors

Subcontractors that access PHI are subject to BAAs with terms substantially similar to ours, are reviewed before onboarding, and are re-reviewed annually. A current list of subprocessors is available on request.

Breach notification

In the unlikely event of a confirmed breach of unsecured PHI, Record Synergy will notify the affected Covered Entity without unreasonable delay and within the timeframes required by the BAA and HIPAA, with the information necessary for the Covered Entity to meet its own notification obligations.

Patient rights

Record Synergy supports our customers in fulfilling patient requests under HIPAA, including access, amendment, accounting of disclosures, and restriction requests. Patients should direct requests to their treating provider, who can use the platform’s administrative tools to respond.

Audit history and reports

Customers can request a copy of our most recent third-party security assessment and the relevant portions of our SOC 2 report under NDA. Our HITRUST roadmap is reviewed annually.

Reporting a security concern

Email [email protected]. We acknowledge reports within one business day. Responsible-disclosure researchers are credited.