HIPAA posture

It means our handling of protected health information is built to the HIPAA Security Rule: encryption, access controls, audit logging, and a Business Associate Agreement that sets out each side's duties. We state our posture; we do not overclaim a certification we do not hold.

• Encrypted. PHI is encrypted at rest and in transit.
• Scoped. PHI is isolated to your practice's tenant and never pooled across customers.
• Human-approved. Every action that touches PHI waits for a person on your team to approve before it executes.
• Minimized. We collect and process only the PHI needed to do the work.
• Audited. Access to PHI is logged so changes can be reviewed.

We act as a Business Associate to your practice. We sign a Business Associate Agreement before handling PHI, covering permitted uses, safeguards, breach notification, and the return or destruction of PHI when the relationship ends.

The benchmarks and synthetic data in Upstream Data carry no protected health information. Benchmarks are derived from payer behavior, not patients, and synthetic claims are generated, never copied from a real record. PHI never leaves your practice through the network or the API.

If you believe PHI has been handled improperly, tell us right away at security@upstream.cx so we can investigate and respond.