Built for the HIPAA Security Rule, not retrofitted to it.
Encryption, audit, integrity, authentication, and transmission security — the five technical safeguards of 45 CFR § 164.312 — are implemented at the framework level so every feature inherits them.
Technical safeguards
What the platform implements out-of-the-box.
§ 164.312(a) Access control
Per-user accounts with bcrypt hashes, role-based permissions, automatic 15-minute session timeout, account lockout after 5 failed attempts, optional emergency-access role.
§ 164.312(a)(2)(iv) Encryption
AES-256-GCM field-level encryption for every PHI column. Blind-index search lets us look up by exact name+DOB without storing plaintext. Production uses KMS-injected keys.
§ 164.312(b) Audit controls
Append-only AuditLog with per-clinic SHA-256 hash chain. Every PHI read/write, login, role change, and Rx transmit is logged. End-to-end chain verification on the audit page.
§ 164.312(c) Integrity
Per-record HMAC on patient demographics + SHA-256 content hash on signed encounters and operative records. Tampered rows are flagged in the UI.
§ 164.312(d) Authentication
Bcrypt passwords with NIST-aligned policy (12+ chars, mixed classes, no top-100 commons), TOTP 2FA, forced password change on first login.
§ 164.312(e) Transmission security
HSTS, secure cookies, optional HTTPS-only enforcement, CSP, X-Frame-Options DENY, strict referrer policy.
What we do NOT cover
Software alone is never HIPAA-compliant. These are your clinic's responsibilities — we'll happily share templates and pointers.
Signed Business Associate Agreements (BAAs) with your hosting, DB, monitoring, email, and SMS providers — your responsibility
Written security policies (risk analysis, sanction policy, workforce clearance, incident response, contingency plan, breach notification)
Workforce HIPAA training and access reviews
Physical safeguards: facility access, workstation security, device controls (§ 164.310)
Production backup + disaster recovery program with restore-tested recoveries
Annual penetration test and risk assessment
ONC Health IT Certification (required to bill Medicare patients in the US)
Frequently asked
- The codebase implements the technical safeguards of the HIPAA Security Rule (45 CFR § 164.312). Compliance also requires administrative + physical safeguards, signed BAAs with your sub-processors, and policies your clinic owns. We can deliver the technology; you own the operational context.
- Every PHI field is encrypted at rest with AES-256-GCM. Each value gets a unique IV; the database stores ciphertext only. Production deployments inject the master key from a KMS (AWS KMS, GCP KMS, Vault Transit) and never write it to disk.
- Every PHI-bearing model has a clinicId foreign key, and every database query is filtered by clinicId at the application layer. As defense-in-depth, the decrypt helper refuses to decrypt rows whose clinicId doesn't match the session.
- Every login (success or failure), permission denial, PHI read, PHI create, PHI update, prescription print or transmit, role change, password change, and reminder send. Each row carries clinicId, userId, IP, user-agent, resource type and ID, and a hash linking it to the previous row.
- HIPAA mandates a 6-year minimum retention. Our default keeps audit rows indefinitely; production deployments configure a separate retention purge job with that role privilege.
- Yes — see /pricing for the FHIR / CCDA export tooling roadmap. The audit log is exportable today as CSV.
Is Next-EMR HIPAA compliant?
Where is patient data encrypted?
How is data isolated between clinics?
What does the audit log capture?
How long is audit data retained?
Can I export my clinic's data?
Have a security review or BAA in flight?
We'll meet you where you are. Send us your questionnaire.