Built around PHI from day one.
Polaris is HIPAA-aligned. Every workflow assumes the data is protected health information and is treated accordingly — at rest, in transit, in the audit log, and in our incident response.
The whole stack, treated as PHI.
Signed BAA
We sign a Business Associate Agreement with every practice before any PHI touches the platform.
Encryption
TLS 1.2+ in transit. AES-256 at rest for the database, file storage, and backups.
Role-based access
Granular roles — admin, provider, tech, billing, viewer — enforced server-side via row-level policies.
Audit logging
Tamper-evident, append-only log of who viewed or changed each chart, with IP and user-agent.
Backups
Point-in-time recovery for the last 7 days, with encrypted off-site daily snapshots.
Network isolation
Database and file storage are not directly reachable from the public internet.
Note locking & cosign
Signed session notes are locked. Amendments are versioned. Tech notes require provider cosign.
Incident response
A documented response plan with breach-notification SLAs aligned with HIPAA §164.410.
What you can verify yourself.
- "Who viewed this chart" view — every PHI read and write is timestamped and attributed to a named user.
- Session timeout — idle sessions are revoked; refresh tokens rotate on use.
- Granular roles — front desk, MA/RN, provider, biller, and supervisor scopes.
- Self-serve data export — admins can export their full practice dataset on demand.
Report a vulnerability
If you believe you have found a security issue, please email security@polaristms.app. We respond within one business day.