Home/Technology/Security & HIPAA
02 / The Platform

ASP-RCM Security & HIPAA. Done the right way.

Healthcare data isn’t a marketing surface. It’s a regulatory obligation. ASP-RCM is built to the same standard as your hospital’s own infosec program. SOC 2 Type 2, ISO 27001, HIPAA-aligned controls, BAAs on every engagement, and an annual third-party audit you can read.

Book a Platform Walkthrough Talk to Sales
At a glance
SOC 2 Type 2
ISO 27001 + HIPAA
Annual external audit. Reports available under NDA.
Controls in place

The security posture, written down.

No vendor questionnaire dodge. Here’s what’s in place, today, in production.

01

SOC 2 Type 2

Audited annually by a Big-4-tier firm. Type 2 covers operating effectiveness over a 12-month window. Report shareable under NDA.

02

ISO 27001 certified

Information security management system aligned to international standard. Surveillance audits annually, recertification every 3 years.

03

HIPAA + HITECH alignment

Administrative, physical, and technical safeguards mapped 1:1 to 45 CFR 164 §§ 308–312. BAA executed on every client engagement.

04

Encryption everywhere

AES-256 at rest (RDS, S3, EBS, backups). TLS 1.3 in transit. AWS KMS-managed keys, customer-isolated.

05

Role-based access + MFA

Least-privilege RBAC. MFA required for every user. Privileged access is time-boxed and just-in-time.

06

Immutable audit log

Every PHI access logged with user, time, record, action. Logs are append-only, retained 7 years, exportable to client SIEM.

Audit posture

Independently verified, not self-attested.

SOC 2 Type 2
annual audit
Trust Services Criteria, all 5
ISO 27001
certified
externally audited ISMS
HIPAA
BAA in every contract
no exceptions, no add-ons
7 years
log retention
append-only, immutable
How an incident plays out

If something goes wrong, this is what happens.

Documented in our incident response runbook.

01
Detection

Datadog + AWS GuardDuty alerts on anomaly. SOC 2 mandates 24-hour acknowledgement; we run 15-minute SLA.

02
Triage

On-call engineer + security lead engaged. Severity 1 escalates to leadership within 1 hour.

03
Containment

Affected service isolated. Credentials rotated. Snapshot taken for forensics.

04
Notification

Client notified within 24 hours of confirmed breach. HHS notification within 60 days where required.

05
Postmortem

Blameless postmortem published internally. Client receives written summary + remediation plan.

Related platform topics

Pairs well with.

Each piece of the platform reinforces the next. Worth reading together.

01
Architecture
How the platform is built. Microservices, queues, observability.
Read more
06
SLA & Uptime
99.95% platform uptime, 4-hour incident response.
Read more
04
API & Data
REST API, webhooks, SFTP, 837/835/270/271 standards.
Read more
See the full technology overview →
From the field

Read more on RCM operations.

How regulatory complexity drives RCM design choices, plus the operational and structural posts behind the security stack.

View all articles →
Medicare

Medicare 2026: Essential coverage changes for seniors and providers.

What's new in home telehealth flexibility, ESRD telehealth evaluation rules, and the operational implications for providers in 2026.

Jan 22, 2026 · 7 min read Revenue Leakage

Hidden revenue leaks in healthcare: 12 places to look.

Industry research shows 3-5% of net patient revenue leaks across coding, claims, eligibility, and underpayments. Here's where it hides.

Mar 12, 2026 · 5 min read RCM Strategy

Three operational shifts that consistently move RCM performance.

Why most RCM "transformation" projects fail, and the operational changes that produce double-digit improvements in collections.

Apr 21, 2023 · 10 min read

Ready to put Security & HIPAA in front of your CIO?

We’ll walk your team through the platform live, answer the hard questions, and leave you with documentation your security and engineering teams can actually evaluate.

Book a Platform Walkthrough Request Documentation