Security Risk Assessment.

Risk analysis performed, policies and procedures documented, sanctions policy for workforce violations.

Privacy Officer designated with authority over all security policies.

Role-based access control (patient, physician, admin). Workforce clearance procedures in place.

Access authorized on need-to-know basis. All PHI queries scoped by userId. No admin access to raw PHI without audit trail.

Annual HIPAA training required for all workforce members. Training records maintained for 6 years.

Incident response plan documented. 24-hour breach notification SLA. Audit log monitoring for anomalous access.

Neon database backups with point-in-time recovery. Vercel edge deployments with automatic failover.

Annual security assessment. Next assessment: May 2027.

All infrastructure hosted by Vercel (SOC 2 Type II) and Neon (SOC 2 Type II). Physical security managed by hosting providers.

Physician portal accessible only via authenticated sessions. Auto-logout after 30 minutes of inactivity.

No PHI stored on local devices. All data resides in encrypted database. No removable media policy.

Unique user IDs via Better Auth. Role-based access (patient/physician). Emergency access procedure documented.

Comprehensive audit_log table records all PHI access: userId, action, resource, resourceId, IP, user agent, timestamp. Audit logs retained 6+ years.

Digital signatures on e-prescriptions. Database-level constraints. Parameterized queries prevent SQL injection.

Email + password authentication with bcrypt hashing. Session tokens with automatic expiration. IP and user-agent tracking.

TLS 1.3 for all data in transit. HTTPS enforced on all endpoints. Secure cookie configuration (HttpOnly, SameSite, Secure).