Security posture · HIPAA-aligned
Security & Compliance Posture
CarelinkMD is a HIPAA Business Associate. We sign a Business Associate Agreement with every clinic customer at registration. This page describes our security posture as of the date below. It is informational and is not a substitute for the contractual commitments in our BAA and Terms of Service.
Last reviewed: April 21, 2026
Compliance matrix
Current status of the frameworks that healthcare buyers typically evaluate. Status phrasing is chosen to be precise: “Compliant” requires evidence in hand; “In progress” and “Planned” do not imply certification.
HIPAA Security + Privacy Rules
BAA signed at registration. Safeguards aligned with 45 CFR §§164.306–316.
HITECH Act + Breach Notification Rule
Breach notification to Covered Entities per executed BAA (targets 72 hours).
SOC 2 Type II
Readiness assessment scoped. Engagement with an AICPA-registered CPA firm is on the roadmap.
HITRUST CSF
Targeted for Enterprise-tier buyers; no active engagement.
State privacy laws (CCPA/CPRA, TX HB300, WA MHMD, others)
Privacy Policy and operational posture under counsel review. Consumer-rights requests honored as required.
42 CFR Part 2 (substance use disorder records)
Clinics subject to Part 2 should confirm an executed Part 2 addendum with CarelinkMD before use.
GDPR / international transfers
US-only data residency. No PHI transmitted outside the United States.
HIPAA does not issue certifications. “HIPAA-aligned” means our administrative, technical, and physical safeguards are designed to satisfy Business Associate obligations under 45 CFR §§164.306–316 and the terms of executed BAAs.
For plain-English answers to common compliance questions, see the digital patient intake FAQ.
Data protection
Encryption in transit
- TLS 1.2+ required (TLS 1.3 preferred) for every client connection
- HSTS enabled on all public endpoints
- TLS 1.0 / 1.1 disabled
- Patient-portal submissions encrypted end-to-end to our Azure tier
Encryption at rest
- AES-256 via Azure-managed keys for all database and storage
- Application-layer payloads stored only as structured fields or signed PDFs
- Customer-managed keys (CMK) on Enterprise roadmap
- No PHI stored outside the encrypted Azure tier
Key management
- Azure Key Vault for all platform secrets
- Rotation cadence on secrets: 90 days
- Access to key material is MFA-gated and audit-logged
- No standing production secret access for engineers
Credentials
- Passwords hashed with bcrypt (cost factor 12)
- Session tokens: signed JWT, 8-hour expiry, version-revocable via Redis
- No password transmitted or stored in logs or URLs
- Lockout after repeated failed attempts + audit entry
Access controls & audit
Who can see PHI on our side
- Production PHI access restricted to on-call engineers and legal on subpoena
- All administrative access MFA-enforced via Azure Entra ID
- US-based workforce only for PHI-adjacent roles
- Annual HIPAA privacy + security training with signed attestation
- Access revocation on termination within 4 hours
What you can audit on your side
- Every login attempt logged (success + failure, IP, user agent)
- Every submission logged with SHA-256 document hash for tamper detection
- Every e-signature event logged per 45 CFR §164.312(b)
- Retention: 7 years minimum for HIPAA-covered records
- Customer audit-log export available on request (UI roadmap)
Operational security
Business continuity
- Hosted on Microsoft Azure: East US 2 primary, West US 2 DR
- Automated Postgres backups with 7-day retention
- RTO target: 4 hours · RPO target: 1 hour
- DR drill frequency: annual (next scheduled 2026)
Vulnerability management
- Automated dependency scanning on every PR
- Container images scanned pre-deploy
- CVE triage SLA: Critical 7d · High 30d · Medium 90d
- Third-party penetration test: scheduled 2026
Incident response
- 72-hour breach notification SLA per executed BAA
- security@carelinkmd.com monitored during business weeks
- Post-incident report template available on request
- Forensics via retained Azure Sentinel logs
Secure SDLC
- Every PR requires code review + CI gates
- Branch protection + deploy approvals
- Azure Key Vault — no secrets in repo
- Migration idempotency enforced at CI
RTO/RPO, notification SLAs, and penetration-test cadence are operational targets. Contractual commitments are stated in the BAA and, where applicable, the Enterprise service agreement.
Subprocessors
We engage subprocessors to operate the platform. Subprocessors that touch PHI execute Business Associate Agreements with CarelinkMD in conformance with 45 CFR §164.504(e)(2)(ii)(D). Material changes are notified to customers per the BAA.
Microsoft Azure
- Purpose
- Hosting, compute, storage, identity, AI
- Region
- US East 2 / West 2
- BAA
- Signed (Microsoft)
Azure Document Intelligence
- Purpose
- OCR on uploaded intake PDFs
- Region
- US East 2
- BAA
- Covered by Microsoft BAA
Azure Content Understanding
- Purpose
- Form-field extraction from intake PDFs
- Region
- US West
- BAA
- Covered by Microsoft BAA
Azure Communication Services
- Purpose
- Patient email + SMS reminders
- Region
- US
- BAA
- Covered by Microsoft BAA
Stripe
- Purpose
- Subscription billing (no PHI transmitted)
- Region
- US
- BAA
- N/A — no PHI
Questions about data handling? See what happens to our data if we cancel.
Data handling & your rights
Data residency
- All PHI stored in Azure US regions (East US 2 primary, West US 2 failover)
- No PHI transmitted outside the United States
- Regional options (Canada, EU) on Enterprise roadmap
Retention & deletion
- PHI retained for contract term + 1 year (dispute window)
- Right-to-delete requests processed within 30 days
- Certificate of destruction available on request
- Customer export (CSV + PDF) available from the dashboard at any time
What we do not do
- Sell, rent, or license PHI to third parties
- Use PHI for direct marketing to patients
- Use PHI to train machine-learning models
- Place third-party trackers (Google Analytics, Meta Pixel, etc.) on the authenticated patient portal
- Transmit PHI outside the United States
Request materials
Materials enterprise buyers commonly request during vendor due diligence. Email security@carelinkmd.com with your request and we'll respond within two business days.
Sample BAA
Pre-reviewed template covering §164.504(e) required provisions and subprocessor flow-downs.
Completed HECVAT-Lite
Healthcare vendor assessment questionnaire adopted by most US hospital systems.
Completed CAIQ
Cloud Security Alliance Consensus Assessment — common for IT-led vendor reviews.
Information Security Policy
Our internal policy document covering access control, encryption, incident response, and workforce security. Shared under NDA.
SOC 2 bridge letter
Available once the first Type II audit window closes.
Cyber insurance certificate
Certificate of Insurance for cyber liability and Errors & Omissions coverage.
Contact
Security inquiries
security@carelinkmd.comVulnerability disclosure, incidents. Response target: 24h during business weeks.
Privacy inquiries
privacy@carelinkmd.comPatient rights requests under HIPAA §164.524 (access) and §164.526 (amendment).
BAA & enterprise contracts
legal@carelinkmd.comBusiness Associate Agreement negotiation, sub-BAAs, data processing addenda.
This page describes CarelinkMD's security practices as of April 21, 2026 and is subject to change. No statement on this page creates a warranty, indemnity, or service-level commitment except to the extent expressly set forth in a signed agreement between CarelinkMD (operated by Expert Business Consulting LLC) and the customer. Capitalized terms not otherwise defined have the meaning given in the applicable Business Associate Agreement, Terms of Service, or Privacy Policy.
For the full compliance policy document, see our Security & Compliance Policy.