AArcCare
HIPAA Compliant · BAA Available

HIPAA compliance, engineered in — not bolted on.

Arc Care is built end-to-end to meet HIPAA's Privacy, Security, and Breach Notification Rules. Every byte of PHI is encrypted, every access is logged, and every customer gets a signed Business Associate Agreement.

Our HIPAA Commitment

Arc Care operates as a HIPAA Business Associate.

We sign a Business Associate Agreement (BAA) with every covered entity and downstream business associate before any PHI is exchanged. PHI is encrypted at rest and in transit, segregated by tenant, and access is restricted by role.

PHI is never used to train external or third-party AI models. Period.

HIPAA Safeguards

Mapped to the HIPAA Security Rule.

Administrative Safeguards

  • Designated security and privacy officers
  • Workforce training on PHI handling
  • Documented incident response and breach notification
  • Business Associate Agreements (BAAs) with every customer

Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Role-based access control (RBAC) with least-privilege defaults
  • Multi-factor authentication for all privileged access
  • Immutable, timestamped audit logs of every access and decision

Physical Safeguards

  • Hosted in HIPAA-eligible, SOC 2-audited cloud infrastructure
  • Geographic data isolation and disaster recovery
  • No PHI stored on local or developer machines
HIPAA
Compliant by design
BAA
Signed with every customer
AES-256
Encryption at rest
TLS 1.2+
Encryption in transit
Clinical Governance

No decision goes out without nurse or MD oversight.

Arc Care is an AI engine — never an autonomous decision-maker. Every recommendation is surfaced to a credentialed reviewer, with structured override, rationale, and citation tracking baked into the workflow and the audit log.

FAQ

HIPAA, in plain language.

Will Arc Care sign a BAA?+

Yes. A signed Business Associate Agreement is a standard part of every customer engagement, executed before any PHI is shared.

Where is PHI stored?+

PHI is stored in HIPAA-eligible, SOC 2-audited cloud infrastructure within the United States. Tenants are logically segregated.

Is PHI used to train AI models?+

No. PHI is never used to train external or third-party AI models, and is never shared outside your tenant boundary.

Who can access PHI?+

Only authorized personnel with a documented need-to-know. Access is enforced through role-based access control, MFA, and immutable audit logs.

What happens in a security incident?+

Arc Care follows a documented incident response plan with breach notification timelines aligned to HIPAA and applicable state laws.

Need our security documentation?

Request our security overview, BAA template, and compliance documentation as part of your evaluation.

Request Security Package