Built for PHI from
the first line of code.

Protected health information isn't a feature for us, it's the substrate. ClaimworksIQ is HIPAA Compliant and engineered to SOC 2 Type II control standards, and contractually prohibited from letting your records touch a foundation-model training set.

Request BAASee controls
Controls at a glance

Every layer, documented.

HIPAA & HITECH

Signed BAA with every covered entity and business associate. Minimum-necessary access, tamper-evident audit logging with SHA-256 hash chain on every PHI read and write.

Built to SOC 2 Type II

Engineered to SOC 2 Type II control standards for security, availability, and confidentiality. Formal audit scheduled.

Zero-training guarantee

Your records are never used to train foundation models. Contractual, not just operational.

US-only data residency

Primary and replica infrastructure hosted entirely in US regions. All data encrypted at rest using AES-256 with AWS-managed keys under BAA.

Encryption

AES-256 at rest with AWS-managed keys, TLS 1.3 in transit. Secrets rotated every 90 days.

SSO & access

SAML / OIDC, MFA-required, role-based access by matter and case. Session timeouts tuned for clinical environments.

Frequently asked

Security questions we always get.

Yes, BAA execution is part of the signup flow for covered entities and business associates. No PHI moves without one on file.
Only the users you invite to each matter. Support staff have no access to PHI by default; break-glass access is logged, alerted, and limited to explicit customer authorization.
Never. Zero-training is contractual with every model provider we use, and the prompts we send are scrubbed of identifiers by default.
You export everything, matter binders, transcripts, citations, as paginated PDFs and JSON. After your stated retention window expires, records are permanently deleted from active systems within 30 days, with backup expiration following our documented retention policy.