Scrutexity iconScrutexityAudit →

Security & Compliance

How we handle PHI, encrypt data, and execute BAAs — in plain English.

Principles

What we do — and what we don’t

PHI is minimized at the edge

Patient identifiers are hashed (SHA-256) before they leave your systems. We never store raw names, DOBs, or medical record numbers in our application layer. Inquiry intent is classified; identity is discarded.

Clinical questions route to humans

Any message classified as MEDICAL_QUESTION is locked from AI response and routed to your licensed staff. We never generate medical advice, differential diagnoses, or treatment recommendations.

You own your data

Transcripts, routing rules, briefs, and inquiry logs belong to your clinic. Exportable. Deletable on request. We do not train models on your patient communications.

BAA before activation

A Business Associate Agreement is executed during pilot setup — before any patient-adjacent workflow goes live. Standard terms. Reviewed by healthcare counsel.

What we don’t do

  • We do not sell, share, or monetize patient data.
  • We do not train AI models on your clinic’s communications.
  • We do not generate medical advice, diagnoses, or treatment plans.
  • We do not store raw PHI in analytics, logs, or error traces.
  • We do not use third-party ad pixels on patient-facing surfaces.

Infrastructure

The honest stack

No marketing claims. Here’s exactly what runs under the hood.

Transport

  • TLS 1.3 for all data in transit
  • HSTS preloaded
  • Certificate pinning on API endpoints

Application

  • Server-side PHI stripping before logging
  • SHA-256 hashing of patient identifiers
  • No raw PHI in request logs, error traces, or analytics

Infrastructure

  • Isolated VPC per deployment
  • Encrypted volumes at rest (AES-256)
  • Access: founder + designated operator only

Access

  • SSO + hardware key enforcement
  • Full audit log of every admin action
  • Session timeout: 15 minutes idle

BAA Process

How we execute your BAA

1

Pilot intake

We send our standard BAA template during pilot setup. Reviewed by healthcare counsel.

2

Mutual execution

Signed by both parties before any patient-adjacent workflow is activated.

3

Ongoing compliance

Annual review. Updated if your practice structure, EMR, or state regulations change.

Questions about security?

We’ll walk through the stack, the BAA, and your specific compliance requirements before you commit to anything.

Start your 14-day pilotfounder@scrutexity.com