Security
Security and Compliance Are Not Features. They're the Foundation.
Built on HIPAA-eligible AWS infrastructure with encryption at rest and in transit, role-based access control, and 7-year audit log retention.
HIPAA CompliantSOC 2 Type II (in process)AWS Healthcare CompetencyBAA Available
Infrastructure Security
- AWS HIPAA-eligible services (Cognito, RDS, S3, ElastiCache, Lambda)
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- AWS WAF for edge protection
- VPC-private database (no public internet access)
- Automated encrypted backups with point-in-time recovery
Authentication & Access Control
- Email + password + OTP on every login (mandatory MFA)
- AWS Cognito identity management (passwords never touch our servers)
- 15-minute session timeout (configurable per agency)
- Role-based access control with 11 ARMHS-specific roles
- Field-level access control (billing staff cannot read clinical note content)
- Multi-tenant agency isolation at database, API, cache, and storage layers
PHI Protection
- Engineered to exclude PHI from URLs, logs, error messages, and notification payloads
- Minimum-necessary access enforced by RBAC
- PHI access monitoring with continuous session anomaly detection
- Bulk export alerts (50+ client records exported → admin notified)
- After-hours PHI access alerts (automatic alerts for access outside business hours)
- Caseload violation detection (alerts when staff access clients not assigned to them)
Audit & Compliance
- Append-only audit logs with SHA-256 chain hashing (tamper-proof)
- 7-year retention (HIPAA requirement)
- Every login, data access, export, and approval is logged
- DHS audit packet builder (one-click assembly)
- Monthly compliance reports (PDF-ready for auditors)
- Workforce credential monitoring and expiration enforcement