Skip to main content
JamEMR

Trust Center

HIPAA

JamEMR is designed to support customers' HIPAA compliance obligations, with safeguards mapped to the Security Rule and BAAs executed before any PHI is handled. No vendor is "HIPAA certified" — we say so plainly.

Our position, stated plainly

JamEMR is designed to support our customers’ HIPAA compliance obligations. When JamEMR handles protected health information on behalf of a covered entity, we act as a business associate and execute a Business Associate Agreement before any PHI is handled.

One thing we will never say: “HIPAA certified.” No such certification exists — no government body certifies HIPAA compliance, and any vendor claiming a HIPAA certification is describing something that does not exist. What responsible vendors can do is implement the required safeguards, document them, and stand behind them contractually. That is our approach.

What is in place today

Mapped loosely to the HIPAA Security Rule’s safeguard categories:

Administrative safeguards

  • Designated Privacy Officer and Security Officer roles are assigned and active.
  • Privileged operational changes are approval-gated: they require explicit human sign-off.
  • Pilot deployments use synthetic (non-real-patient) data until a practice’s compliance prerequisites — including a signed BAA — are complete.

Physical safeguards

  • Clinical AI inference runs on dedicated local hardware inside the deployment environment. PHI is not sent to third-party consumer AI clouds for clinical AI processing, which keeps the physical footprint of PHI small and knowable.

Technical safeguards

  • Role-based access control with least-privilege roles; front-desk staff cannot access clinical AI functions.
  • Application-level audit logging of chart access and changes, including ambient-note drafts, edits, and signatures.
  • Registered, revocable API tokens for service-to-service calls.
  • TLS encryption in transit on exposed interfaces; disk-level encryption at rest, configured per deployment.

On our roadmap

  • A formal HIPAA risk analysis refresh and a documented policy pack are in progress. We treat the risk analysis as a living obligation, not a one-time artifact.
  • Third-party penetration testing is planned before general availability.
  • A SOC 2 Type II examination is planned but has not started. SOC 2 is not a HIPAA requirement, but its evidence discipline complements HIPAA obligations, and we do not claim it until it is complete.

Shared responsibility

HIPAA compliance is shared: JamEMR provides safeguards and contractual commitments; covered entities remain responsible for their own policies, workforce training, and appropriate use of the system. We are glad to walk your compliance team through the details — contact [email protected].

← Trust Center