Compliance
Healthcare data requires more than a checkbox. Procedo's infrastructure was designed with HIPAA technical safeguards as a first-class requirement — not retrofitted after the fact.
Every layer of Procedo's stack — from data in transit to secrets at rest to who touched what and when — is built to meet the technical safeguard requirements of HIPAA and the expectations of hospital security teams.
Controls applied at the infrastructure and application level to protect PHI.
All stored data — database records, blobs, secrets — is encrypted using AES-256 via Azure-managed keys and Azure Key Vault.
All data in transit between clients, services, and the Epic FHIR API is encrypted with TLS 1.2 or higher. HTTP is not permitted.
API keys, connection strings, and credentials are stored exclusively in Azure Key Vault. No secrets in application config or code.
Access to patient data and administrative functions is gated by role. Least-privilege is enforced at both the application and Azure resource level.
Each hospital tenant's data is isolated at the database and application layer. Cross-tenant data access is architecturally prevented.
Every access to patient data is logged with a user identifier, timestamp, and action. Logs are retained and tamper-evident.
Long-term audit retention and point-in-time recovery controls aligned with HIPAA's 6-year documentation requirement.
Database audit logs are retained for 2,190 days (6 years) in blob storage, meeting HIPAA's documentation retention requirement.
Deleted blob data is retained in a soft-deleted state for 90 days, enabling recovery from accidental deletion without data loss.
BAAs are in place with all third-party infrastructure providers that process or store PHI on Procedo's behalf.
Primary cloud infrastructure — App Service, Azure SQL, Azure Key Vault, Blob Storage, Log Analytics
AI model inference via Vertex AI (Gemini) — used for clinical narrative generation
A clinical governance principle enforced at the architecture level, not as a UI option.
Procedo operates as an orchestration layer above the EHR. It surfaces AI-generated clinical intelligence for review — but writing anything to a patient record requires a licensed clinician to explicitly approve it. This is not a configurable setting. It is enforced architecturally. Every approval action is recorded in the audit trail with a clinician identifier and timestamp.
Tell us about your organization and we'll be in touch shortly.
Thank you for reaching out. A member of the Procedo Health team will be in touch within one business day.