How we keep patient data safe
Pulse Coder works with protected health information. Protecting that data is central to how the system is built, not a feature added later. This page explains, in plain terms, how our approach aligns with the HIPAA Security Rule.
Our foundation
Built on HIPAA-eligible AWS
Pulse Coder runs entirely on Amazon Web Services, using only services AWS certifies as HIPAA-eligible, the same infrastructure trusted by thousands of health systems.
Data stays in your chosen region
Patient records are stored in the AWS region that fits your location and preference, either the United States or India (Mumbai). All processing stays inside that environment.
A signed Business Associate Agreement
Pulse Coder operates as a HIPAA Business Associate. Before we handle any patient data, we sign a BAA, the formal contract that legally binds us to protect your patients' information.
Security by design
Encryption, network isolation, and access control are foundational properties of the platform, applied at every layer rather than bolted on after the fact.
How patient data is protected
Encrypted at every stage
Patient data is encrypted in transit and at rest. On top of storage encryption, the most sensitive fields, such as clinical notes and patient identifiers, are individually encrypted at the application level. Even in a direct database breach, that information stays unreadable.
A private, sealed environment
Everything that touches patient data runs inside a private, isolated network with no direct exposure to the public internet. The only public touchpoint is a secure, encrypted entry gateway. The application, the AI processing, and the database sit behind it.
Private AI processing, no training on your data
Clinical documents are analyzed by AI entirely within the private environment. Data never crosses the public internet during processing, and it is never stored, reused, or used to train any AI model, by us or by any provider. PHI never touches the LLM: all AI inference runs on de-identified clinical text only.
Strict access controls
Every user has a unique login and access is scoped by role. A user can only see the cases belonging to their own organization. Unauthenticated access is blocked outright, and inactive sessions are logged out automatically.
A tamper-resistant activity trail
Every meaningful action, from document uploads to code assignments and record views, is recorded with who did what and when. Audit records cannot be altered or deleted after the fact, and patient names are replaced with internal reference codes.
No secrets stored in code
Passwords, keys, and credentials are never written into our software. They live in a dedicated secure vault and are accessed only at runtime, closing one of the most common causes of data leaks.
How your data flows
Patient data never leaves the secure private environment at any point in this flow.
Your staff
Authenticate with a unique, secure login
Secure gateway
The only public touchpoint, encrypted connections only
Pulse Coder application
Verifies identity and permissions before any access
AI processing
Private and isolated, nothing retained
Encrypted database
Patient records, encrypted at rest
Alignment with the HIPAA Security Rule
The HIPAA Security Rule defines the safeguards required to protect electronic patient health information. This is how Pulse Coder's design meets the rule's technical safeguards.
| What HIPAA requires | How Pulse Coder delivers |
|---|---|
Access Control Limit who can reach patient data | Unique per-user logins, role-based permissions, automatic logout, and strict separation between organizations. |
Audit Controls Track activity on patient data | A tamper-resistant audit trail logging every key action and record view. |
Integrity Prevent improper alteration of data | Audit records cannot be modified or deleted after they are written. |
Authentication Verify users are who they claim | Secure login required for every user; unauthenticated access is blocked. |
Transmission Security Protect data in transit | All connections are encrypted; data only travels over secure channels. |
Encryption Protect stored data | Data encrypted in storage, with additional field-level encryption on the most sensitive data. |
HIPAA also includes administrative and physical safeguards, such as facility security and operational policies. The physical security of the underlying servers is provided by AWS under its HIPAA-eligible infrastructure and Business Associate Agreement.
Connecting with hospital record systems
When Pulse Coder connects to hospital record systems such as Epic or Cerner, it uses the healthcare industry's standard secure sign-in method (SMART on FHIR). We never store your hospital's login credentials. Access is granted only for the duration of an active, authorized session and ends when that session ends.
What happens when a contract ends
If your organization stops working with us, all patient data belonging to you is either returned or permanently deleted, including backups, which are automatically erased within a short, defined window. Nothing is kept beyond what our agreement allows.
Questions?
We're glad to walk your security or compliance team through any part of this in more detail, and to provide our Business Associate Agreement for review.
Talk to us