HIPAA Compliant

How we keep patient data safe

Pulse Coder works with protected health information. Protecting that data is central to how the system is built, not a feature added later. This page explains, in plain terms, how our approach aligns with the HIPAA Security Rule.

Our foundation

Built on HIPAA-eligible AWS

Pulse Coder runs entirely on Amazon Web Services, using only services AWS certifies as HIPAA-eligible, the same infrastructure trusted by thousands of health systems.

Data stays in your chosen region

Patient records are stored in the AWS region that fits your location and preference, either the United States or India (Mumbai). All processing stays inside that environment.

A signed Business Associate Agreement

Pulse Coder operates as a HIPAA Business Associate. Before we handle any patient data, we sign a BAA, the formal contract that legally binds us to protect your patients' information.

Security by design

Encryption, network isolation, and access control are foundational properties of the platform, applied at every layer rather than bolted on after the fact.

How patient data is protected

Encrypted at every stage

Patient data is encrypted in transit and at rest. On top of storage encryption, the most sensitive fields, such as clinical notes and patient identifiers, are individually encrypted at the application level. Even in a direct database breach, that information stays unreadable.

A private, sealed environment

Everything that touches patient data runs inside a private, isolated network with no direct exposure to the public internet. The only public touchpoint is a secure, encrypted entry gateway. The application, the AI processing, and the database sit behind it.

Private AI processing, no training on your data

Clinical documents are analyzed by AI entirely within the private environment. Data never crosses the public internet during processing, and it is never stored, reused, or used to train any AI model, by us or by any provider. PHI never touches the LLM: all AI inference runs on de-identified clinical text only.

Strict access controls

Every user has a unique login and access is scoped by role. A user can only see the cases belonging to their own organization. Unauthenticated access is blocked outright, and inactive sessions are logged out automatically.

A tamper-resistant activity trail

Every meaningful action, from document uploads to code assignments and record views, is recorded with who did what and when. Audit records cannot be altered or deleted after the fact, and patient names are replaced with internal reference codes.

No secrets stored in code

Passwords, keys, and credentials are never written into our software. They live in a dedicated secure vault and are accessed only at runtime, closing one of the most common causes of data leaks.

How your data flows

Patient data never leaves the secure private environment at any point in this flow.

Secure login

Your staff

Authenticate with a unique, secure login

Entry point

Secure gateway

The only public touchpoint, encrypted connections only

Private network

Pulse Coder application

Verifies identity and permissions before any access

Private network

AI processing

Private and isolated, nothing retained

Private network

Encrypted database

Patient records, encrypted at rest

Alignment with the HIPAA Security Rule

The HIPAA Security Rule defines the safeguards required to protect electronic patient health information. This is how Pulse Coder's design meets the rule's technical safeguards.

What HIPAA requiresHow Pulse Coder delivers

Access Control

Limit who can reach patient data

Unique per-user logins, role-based permissions, automatic logout, and strict separation between organizations.

Audit Controls

Track activity on patient data

A tamper-resistant audit trail logging every key action and record view.

Integrity

Prevent improper alteration of data

Audit records cannot be modified or deleted after they are written.

Authentication

Verify users are who they claim

Secure login required for every user; unauthenticated access is blocked.

Transmission Security

Protect data in transit

All connections are encrypted; data only travels over secure channels.

Encryption

Protect stored data

Data encrypted in storage, with additional field-level encryption on the most sensitive data.

HIPAA also includes administrative and physical safeguards, such as facility security and operational policies. The physical security of the underlying servers is provided by AWS under its HIPAA-eligible infrastructure and Business Associate Agreement.

Connecting with hospital record systems

When Pulse Coder connects to hospital record systems such as Epic or Cerner, it uses the healthcare industry's standard secure sign-in method (SMART on FHIR). We never store your hospital's login credentials. Access is granted only for the duration of an active, authorized session and ends when that session ends.

What happens when a contract ends

If your organization stops working with us, all patient data belonging to you is either returned or permanently deleted, including backups, which are automatically erased within a short, defined window. Nothing is kept beyond what our agreement allows.

Questions?

We're glad to walk your security or compliance team through any part of this in more detail, and to provide our Business Associate Agreement for review.

Talk to us