Security

HIPAAPath is built so the sensitive part of your HIPAA self-assessment — your practice details, your device inventory, your workforce roster, your risk findings — lives only on your own device. We designed it this way on purpose: the safest data is the data we never hold.

How your answers stay on your device

As you work through the chapters, your answers save directly in your browser's local storage (IndexedDB) — not on our servers. You can verify this yourself: open your browser's developer tools and look under Application → IndexedDB.

When you finish, the Practice Security Manual you generate is built in your browser and downloaded straight to your computer for you to keep, share, or store wherever you choose. To move your work between devices, you export a Restore File and import it yourself — it never passes through us. Signing in (when you choose to) only carries your email, never your answers.

No PHI on our servers

HIPAAPath is not a covered entity or business associate under HIPAA. The application is designed so that no Protected Health Information (PHI) or patient Personally Identifiable Information (PII) is ever entered into or transmitted through our platform — and you should never enter patient names, dates of birth, or other PHI into any field in this tool. This mirrors our Privacy Policy, which is the authoritative statement of how we handle data.

What we do store on our servers

To be straight with you: running an account and a paid product means a small amount of data does live on our servers. We keep that list short and free of anything clinical. When you sign in or subscribe, we store:

• Account information — your name and email address from your chosen sign-in provider (email link, Google, or Microsoft), and the link to that provider.
• Terms acceptance — a record that you accepted the Terms of Service (when, and which version).
• Email preferences — whether you opted in to quarterly compliance updates.
• Subscription status — your Stripe customer link and whether your Carrier Summary purchase or Founding Member subscription is active.

That is the whole list. Your chapter answers, your risk findings, and anything that could identify a patient are not in it — they stay in your browser.

Encryption & data residency

All traffic between your browser and HIPAAPath is encrypted in transit over HTTPS (TLS). The limited account data described above is held in a managed United States database and is encrypted at rest by that provider. Because your audit answers and any PHI never leave your browser, they are never stored in — or transmitted to — any of our systems in the first place.

The services we rely on

We use a small set of established providers to run HIPAAPath. None of them receive your audit answers or patient data. Here is each one and what it can — and cannot — see:

• Vercel

  Hosts and serves the website and application.

  Sees: Standard web-request data (your IP address, browser type, the pages you load).

  Never sees: Your audit answers or any patient data — those stay in your browser.

• Neon

  Managed Postgres database that stores your account.

  Sees: Your account record: name, email, identity-provider link, Terms acceptance, email-preference flags, and subscription status.

  Never sees: Your chapter answers, risk findings, or any PHI — none of it is written to the database.

• Resend

  Sends transactional and compliance-update email.

  Sees: Your email address and the content of the emails we send you (sign-in links, compliance updates).

  Never sees: Your audit answers or patient data — we never email them, because we never have them.

• Stripe

  Processes payments for the Carrier Summary and Founding Member subscription.

  Sees: Your payment details and customer/subscription metadata, handled entirely on Stripe’s systems.

  Never sees: Your full card number (we never receive it) or your audit answers.

Learn more

For the full, authoritative detail on what we collect, how long we keep it, and how to delete your account, see our Privacy Policy and Terms of Service. For official HIPAA source material and security frameworks, see our Resources page.