HIPAA compliance is not a feature. It is a baseline.

Every document and database record is encrypted at rest using AES-256. All data in transit is protected by TLS 1.3 — no exceptions, no older versions permitted.

Encryption is enforced at the infrastructure level. It is not configurable by tenants and cannot be disabled.

Physicians, delegates, and administrators hold distinct permission sets enforced server-side — not just in the UI.

Delegates can upload records and assist with organization. They cannot access sign-off interfaces, export finalized reports, or modify account settings. These restrictions are enforced at the API layer.

Report finalization requires verified physician identity. No delegate action can complete a report without physician authentication. Hard enforcement — not a UI soft-stop.

All documents and database records are stored on US-hosted infrastructure. No PHI is processed, cached, or stored outside US geographic boundaries.

Backups run continuously. Storage is replicated across availability zones within US regions.

Every component in the AtlasMD stack — application hosting, database, workflow orchestration — is independently SOC 2 certified. No non-certified components exist in the PHI data path.

All traffic passes through enterprise-grade network protection: DDoS mitigation, web application firewall, bot management, and edge-level TLS termination before requests reach application servers.

No PHI is stored in logs or observability tools. Log pipelines scrub identifiers before ingestion.

A BAA is included with every subscription — Solo, Practice, and Enterprise — as a condition of account activation. You do not need to request it.

PHI uploaded to AtlasMD is used exclusively to generate your reports and maintain your audit trail. It is not used for any other purpose. No carve-outs for de-identified data. This is in writing in your BAA.

Every user action is captured in an append-only audit log: uploads, report views, edits, sign-offs, exports. Each event is timestamped and attributed to a verified identity.

Audit logs are tamper-resistant. Once written, they cannot be modified or deleted — by anyone. Full trails are exportable for legal proceedings or compliance reviews.

Case data is retained for the duration of your subscription plus a 90-day post-cancellation window. After that, data is purged from primary storage and backups.

Early deletion requests are executed within 30 days and confirmed in writing. PHI processed for report generation is not retained after the request completes.

In the event of a confirmed incident affecting PHI, affected covered entities are notified within 60 days of discovery with a written description of the breach and steps taken.

Internal escalation and containment begin within 4 hours of a credible incident report. Security researchers can reach us at security@getatlasmd.com — we respond to all disclosures within 48 business hours.