PracticeHub
Security & compliance

Built like every mistake could leak PHI

That's the engineering assumption behind PracticeHub. Healthcare operations software earns trust through architecture, not marketing claims — here's ours.

Tenant isolation, enforced in the database

Every tenant-owned record carries an organization ID, and PostgreSQL row-level security policies — not application code — decide what any session can read or write. Cross-tenant access is structurally impossible through the API surface, and we test isolation with adversarial fixtures.

HIPAA-ready posture with BAAs across the stack

PracticeHub operates as a business associate to the practices it serves. Business associate agreements are in place with our infrastructure vendors — including our database/auth provider, hosting, telephony, and voice AI vendors — before any PHI-bearing workload is enabled for a practice.

Append-only audit trail

Schedule changes, ticket actions, communications, configuration changes, and every AI tool call write immutable audit events with actor, action, and time. Audit rows cannot be edited or deleted through the application.

Human-in-the-loop AI governance

AI agents act only through narrow, individually-permissioned server-side tools — never raw database access. High-risk actions (clinical decisions, refill approvals, claim submission) always require human review. When an agent is unsure, it escalates to a human queue instead of improvising.

Least-privilege keys and PHI-safe logging

Service credentials never ship to browsers. Public clients use publishable keys constrained by row-level security. Application logs are designed to exclude message bodies, patient identifiers, tokens, and credentials.

Deterministic where it matters

Scheduling, permissions, task routing, and messaging compliance (STOP/START/HELP) are deterministic systems with tests — AI can explain and assist, but it cannot silently override the rules.

Questions or security reports

We welcome security questions during evaluation and responsible disclosure of vulnerabilities. Reach the team at security@practicehub.dev. For details on how we handle personal information, see our Privacy Policy.