Compliance
Security & Compliance
Our commitment to protecting health data. Built with a zero-PHI-storage architecture from the ground up.
Architecture
Zero PHI Storage
SALIMmd CDA tools are designed so that patient health information never touches our servers.
No Server-Side PHI
All FHIR data retrieved during a SMART on FHIR launch is processed entirely in the browser session. No patient data is transmitted to, stored on, or logged by SALIMmd servers.
Encryption in Transit
All connections use TLS 1.2 or higher. FHIR API calls are made directly between the clinician's browser and the health system's Epic Interconnect server.
Session-Only Data
Clinical data exists only for the duration of the browser session. Closing the app or navigating away clears all patient context. No cookies, localStorage, or indexedDB store PHI.
Minimal Scopes
Each CDA tool requests only the FHIR scopes it needs. All tools default to read-only access. The principle of minimum necessary is applied to every scope request.
HIPAA
Compliance Posture
Zero PHI Storage Architecture
No patient data is stored, cached, or logged on SALIMmd infrastructure.
Business Associate Agreement
BAA available for health system partners who require one for their compliance process.
Breach Notification
Formal breach notification procedures in place per HIPAA requirements.
Access Controls
OAuth2 authentication via Epic. No standalone user accounts store PHI.
Audit Logging
Application access events are logged. No PHI is included in logs.
Token Management
OAuth2 access tokens expire per Epic configuration (typically 1 hour). Tokens are never persisted to disk.
Data Handling
What We Collect and What We Do Not
| Data Type | Collected | Stored | Notes |
|---|---|---|---|
| Patient clinical data (via FHIR) | In session only | Never | Processed in browser, cleared on close |
| OAuth2 access tokens | In session only | Never | Memory only, auto-expire per Epic config |
| Website analytics | Yes | Anonymized | Page views, no PII, no PHI |
| Contact form submissions | Yes | Encrypted | Name, email, org. No PHI accepted. |
| IP addresses | Server logs | 30 days | Security monitoring only |
Standards
Certifications & Alignment
SMART on FHIR
HL7 SMART App Launch Framework compliant
FHIR R4
HL7 FHIR Release 4 resource support
ONC USCDI
Aligned with US Core Data for Interoperability
WCAG 2.1 AA
Web Content Accessibility Guidelines compliance
SSL/TLS
TLS 1.2+ enforced on all connections
Epic Connection Hub
Listed on Epic Showroom (when live)
Security Questions?
For security assessments, BAA requests, or compliance documentation, contact our privacy team.
Request Compliance Documentation