Security

Built for healthcare. Not retrofitted.

Every decision, from database design to API structure, treats patient data protection as the first constraint, not an afterthought.

HIPAA compliantBAA availableSOC 2 planned
Core safeguards

How we protect your data.

Encryption everywhere

PHI is encrypted at rest with AES-256 and in transit over TLS 1.2+. Encryption keys are managed through secure infrastructure.

Practice-level isolation

Row-level security at the database layer means no practice can ever access, query, or view another practice's data.

Minimum necessary access

Role-based controls at the application and database layers. People see only the data their role requires.

Immutable audit logs

Every access to PHI is logged with user, action, timestamp, and records, retained at least six years for review.

Authentication

MFA for administrative access, short-lived sessions with automatic expiry, and enforced password complexity.

Incident response

A documented plan with defined escalation paths and breach-notification timelines compliant with HIPAA.

Data flow

How a referral moves through Tether.

01

Created

A user uploads a referral or fills the form. Data travels over TLS 1.2+ to Tether's API, validated and sanitized server-side.

02

Processed

AI extracts structured patient data in an isolated environment. The original document is stored encrypted; extracted data is written to the practice's isolated rows.

03

Transmitted

If the receiving practice is on Tether, the referral appears instantly over encrypted channels. If not, a HIPAA-compliant e-fax is sent with delivery confirmation.

04

Tracked & closed

Both sides see status in real time, every change logged. When the visit completes, the referring provider is notified and the record is closed.

05

Retained or deleted

Data is retained to healthcare record requirements. Practices can request export or deletion; deletion is verified and logged.

Business Associate Agreements

Tether executes a BAA with every practice before any PHI is processed, at no additional cost. Our BAA covers referral data, patient communications, and document storage.

  • Provided to all practices before onboarding begins, available for review in advance.
  • BAAs are also executed with every infrastructure provider that handles PHI.
  • A full subprocessor list is available on request.

Questions about our security practices? Email support@tetherhealth.co

Security you can put in front of compliance.

We're happy to walk your team through the architecture and share our BAA before you commit to anything.

Request a demo