Our approach
JamEMR is an AI-native EMR built by a physician-led team, currently in pilot. That stage shapes how we talk about security: we tell you exactly what is in place today, and exactly what is still on the roadmap. We never blur the two.
The foundation of our security model is architectural: clinical AI inference runs on dedicated GPU hardware inside the deployment environment. Protected health information is not sent to third-party consumer AI clouds for clinical AI processing. Most AI security questions — “who else sees the data?”, “where do prompts go?” — are answered by keeping the data where it already is.
What is in place today
- Local clinical AI processing. Ambient documentation and other clinical AI functions run on dedicated local hardware inside the deployment environment, not consumer AI clouds.
- Role-based access control. Least-privilege roles are enforced at the application level. Front-desk staff, for example, cannot invoke clinical AI functions.
- Audit logging. Chart access and changes are logged at the application level, including every ambient-note draft, edit, and signature.
- Registered API tokens. Service-to-service calls require registered, revocable tokens. Unregistered callers are rejected.
- Encryption. TLS protects data in transit on exposed interfaces; data at rest is protected with disk-level encryption, configured per deployment.
- Approval-gated administrative changes. Privileged operational changes require explicit human approval before they take effect.
- Schema-migration discipline. Database changes ship as versioned, reviewed migrations — no ad-hoc schema edits.
- Named accountability. Designated Privacy Officer and Security Officer roles are assigned and active.
- Synthetic data in pilots. Pilot deployments run on synthetic (non-real-patient) data until a practice’s compliance prerequisites are complete.
On our roadmap
- Third-party penetration testing, planned before general availability.
- SOC 2 Type II examination, planned. It has not started, and JamEMR does not claim SOC 2 compliance today.
- Formal HIPAA risk analysis refresh and documented policy pack, in progress.
- Formal, SLA-backed disaster-recovery commitments. Today we run scheduled backups and are formalizing restore procedures.
Learn more
Each area above has its own page in this Trust Center — see Encryption, Access Controls, Audit Logging, and the Compliance Roadmap. Security questions or reports: [email protected].