Security & HIPAA

Built around PHI from day one.

Polaris is HIPAA-aligned. Every workflow assumes the data is protected health information and is treated accordingly — at rest, in transit, in the audit log, and in our incident response.

Controls in place

The whole stack, treated as PHI.

Signed BAA

We sign a Business Associate Agreement with every practice before any PHI touches the platform.

Encryption

TLS 1.2+ in transit. AES-256 at rest for the database, file storage, and backups.

Role-based access

Granular roles — admin, provider, tech, billing, viewer — enforced server-side via row-level policies.

Audit logging

Tamper-evident, append-only log of who viewed or changed each chart, with IP and user-agent.

Backups

Point-in-time recovery for the last 7 days, with encrypted off-site daily snapshots.

Network isolation

Database and file storage are not directly reachable from the public internet.

Note locking & cosign

Signed session notes are locked. Amendments are versioned. Tech notes require provider cosign.

Incident response

A documented response plan with breach-notification SLAs aligned with HIPAA §164.410.

What you can verify yourself.

  • "Who viewed this chart" viewevery PHI read and write is timestamped and attributed to a named user.
  • Session timeoutidle sessions are revoked; refresh tokens rotate on use.
  • Granular rolesfront desk, MA/RN, provider, biller, and supervisor scopes.
  • Self-serve data exportadmins can export their full practice dataset on demand.

Report a vulnerability

If you believe you have found a security issue, please email security@polaristms.app. We respond within one business day.