Designed to be HIPAA compliant.
BAA available for customers.
HIPAA is not a certification — it's a set of administrative, technical, and physical safeguards. CliniLoom is designed to be HIPAA compliant, and BAA v1.2 (available since January 2024) is signed with every customer before production PHI is processed.
Technical safeguards
TLS 1.3 in transit. AES-256 at rest for PHI and backups.
Role-based access (Administrator, Manager, Provider, Staff) with least-privilege defaults; SSO via SAML 2.0 / OIDC and MFA via SMS, email, or authenticator app.
Per-entity audit log capturing actor, role, timestamp, and source references. Retained 7 years.
Versioned records for AI drafts and human edits; tamper-evident audit trail.
Administrative safeguards
- Workforce access reviews documented per clinic
- Defined required reviewer roles per workflow
- Approval rules per module (clinical / administrative)
- Incident response runbooks with customer notification SLAs
- Regular subprocessor review
Physical & infrastructure safeguards
PHI hosted at CliniLoom's primary data center in US regions. SOC 2 Type II certified March 2025 and ISO 27001 certified June 2025 at that facility.
Private networking between services. No PHI in third-party logs or analytics.
Production access limited to vetted on-call engineers with MFA and audit.
Contractual safeguards
A Business Associate Agreement is required before any production PHI is processed. CliniLoom's BAA covers permitted uses, breach notification, subprocessor obligations, and return or destruction of PHI on termination.
- Business Associate Agreement (BAA) — available before go-live
- Subprocessor list maintained and disclosed
- Data Processing Addendum (DPA) for international customers
- Security review support for qualified clinics
Need our BAA template?
Request the BAA, security one-pager, and subprocessor list.