Compliance is not a feature.
It's the foundation.
Provider data is some of the most sensitive information in healthcare. Every architectural decision — from the database schema to the API gateway — is made against HIPAA, NCQA, URAC, CMS, and HITRUST from the start.
Framework coverage
Every standard that governs healthcare credentialing
We don't interpret standards loosely. Each control below is built into the platform — not checked at the compliance layer after the fact.
HIPAA & HITECH
45 CFR Parts 160 & 164 · Health Information Technology for Economic and Clinical Health Act
- ✓ AES-256 encryption at rest — per-tenant AWS KMS key, unique per organisation
- ✓ TLS 1.3 enforced in transit — TLS 1.0/1.1 rejected at the load balancer
- ✓ Business Associate Agreement (BAA) executed before any PHI enters the system
- ✓ WORM audit log — append-only, no UPDATE or DELETE ever granted to any app role
- ✓ 6-year PHI audit log retention (§164.530(j)) — exportable on request
- ✓ 15-minute idle session timeout, MFA mandatory with no opt-out
- ✓ Break-glass access for Clarvera staff requires an open support ticket — every access logged and reported to TENANT_ADMIN
- ✓ Consent revocation takes immediate effect — no cache, no grace period
- ✓ BAA gate enforced at middleware: baa_signed_at IS NULL → 403 on all PHI writes
- ✓ PHI never leaves your selected region — no cross-region transfer
NCQA & URAC
National Committee for Quality Assurance · URAC Accreditation Standards
- ✓ Credentialing case state machine aligned to NCQA credentialing elements
- ✓ Primary Source Verification (PSV) tracked per source: FSMB, NURSYS, DEA, ABMS, NPDB, OIG, SAM, NSC, employer, carrier
- ✓ Re-credentialing lifecycle with configurable due-date triggers and alerts
- ✓ Committee review workflow with quorum tracking and decision audit trail
- ✓ URAC delegation agreement management with client-level credentialing queues
- ✓ NCQA/URAC accreditation tracking for CVO clients
- ✓ Consolidated reporting across clients for delegated credentialing
- ✓ All PSV results retained with source, date, verifier, and response encrypted
CMS & ONC Interoperability
Centers for Medicare & Medicaid Services · 21st Century Cures Act
- ✓ FHIR R4 Patient Access API — CMS Interoperability Rule compliance
- ✓ Payer-to-payer FHIR API for provider data exchange (Enterprise)
- ✓ Network adequacy tracking aligned to CMS requirements
- ✓ OIG LEIE and SAM.gov exclusion checks run monthly for ALL active providers — mandatory, cannot be skipped
- ✓ Exclusion match alerts to credentialing team within minutes of check completion
- ✓ NPDB query pass-through with full result logging and retention
- ✓ Medicare enrollment tracking with status sync
- ✓ MIPS/MACRA reporting support (Enterprise tier)
SOC 2 Type II
AICPA Trust Services Criteria — Security, Availability, Confidentiality
- ✓ SOC 2 Type II audit in progress — expected Q4 2026
- ✓ SOC 2 Type I report available to customers under NDA on request
- ✓ Logical access controls with least-privilege defaults enforced at DB layer
- ✓ Change management process: all production changes reviewed and logged
- ✓ Incident response plan with documented RTO/RPO targets
- ✓ Vendor risk management: all sub-processors documented and assessed
- ✓ Automated encrypted backups with point-in-time recovery
- ✓ Continuous monitoring and alerting on access anomalies
HITRUST CSF
HITRUST Common Security Framework — Payor & Enterprise tier roadmap
- ✓ HITRUST CSF alignment in progress for Payor and Enterprise tiers
- ✓ Control mapping across HIPAA, NIST, ISO 27001, and CMS requirements
- ✓ Risk management framework with documented risk register
- ✓ Penetration testing conducted annually by independent third party
- ✓ Vulnerability management program with SLA-based remediation timelines
- ✓ Security awareness training for all staff with completion tracking
- ✓ Physical security controls for cloud infrastructure (AWS inherits)
- ✓ Dedicated HITRUST assessment available for Enterprise customers on request
RBAC + ABAC + CBAC
Role-Based · Attribute-Based · Consent-Based Access Control
- ✓ Three-layer access control: role, attribute (tenant_type, subscription_tier, data_region), and consent
- ✓ Per-tenant identity isolation — credentials never shared across organisations
- ✓ Keycloak two-realm model: external tenants and internal staff fully separated
- ✓ Immutable tenant fields enforced by DB trigger — application layer alone is insufficient
- ✓ Cross-tenant consent model: providers explicitly grant orgs access to their profile
- ✓ Consent revocation is immediate — no caching, no deferred propagation
- ✓ SSO via OpenID Connect / SAML 2.0 (Professional & Enterprise)
- ✓ Every privilege grant and revocation logged to immutable audit trail
Additional safeguards
Built in, not bolted on
Immutable tenant fields
Tenant type, data region, and KMS key ID are enforced as immutable by a DB trigger — application-layer checks alone are not sufficient and are not relied upon.
Zero-trust architecture
Every service-to-service call requires a valid JWT with tenant_id and tenant_type claims. No implicit trust between services, even within the internal network.
NPDB query logging
All NPDB queries are logged with provider ID, query timestamp, response hash, and the user who initiated the query — retained for the life of the credential file.
Responsible disclosure
Security researchers are welcome. Email security@shinzox.com — we acknowledge within two business days and keep you updated through remediation.
Data residency
PHI is stored in your selected US region (US-EAST-1 or US-WEST-2) and never transferred across regions. Sub-processors are documented and minimised.
Automated backups
Encrypted point-in-time backups with documented RPO/RTO targets. Restore procedures exercised regularly. Backups use the same per-tenant KMS key material as live data.
Security contact
Security questions, penetration test reports, or need our SOC 2 Type I under NDA?
security@shinzox.com