๐Ÿš€ Founding Member Launch: Get 50% Off Lifetime + Concierge Migration. Only 50 spots. Claim Spot

Security & Compliance

Built with clinical-grade security from day one.

HIPAA compliance isn't a checkbox we added later. It's baked into every layer of the platform โ€” from database encryption to access control to audit logging.

๐Ÿ›ก๏ธ HIPAA Compliant
๐Ÿ”’ AES-256 Encryption
๐Ÿ” TLS 1.3 in Transit
๐Ÿ“‹ BAA Available

How we protect your data

Security at every layer

๐Ÿฅ

HIPAA Compliance

  • Comprehensive HIPAA compliance program maintained across all systems
  • Business Associate Agreements (BAAs) available on Practice plans, included on Clinic plans
  • Regular security risk assessments and internal audits
  • PHI access audit trail โ€” every access to patient data is logged with user, timestamp, and action
  • Staff training on HIPAA policies and secure data handling
๐Ÿ”’

Encryption

  • All PHI encrypted at rest using AES-256 โ€” the gold standard for healthcare data
  • All data in transit protected with TLS 1.3
  • Sensitive patient fields (diagnoses, clinical notes, biometrics) use column-level encryption
  • Encryption keys managed via Google Cloud KMS with automatic rotation
  • Encrypted backups stored separately from production systems
๐Ÿ”‘

Authentication & Access Control

  • Secure login via Firebase Authentication โ€” no passwords stored in our database
  • Role-based access control (RBAC): Admin, Practitioner, and Support Staff roles
  • Practitioners only see their own patients โ€” no cross-practitioner data leakage
  • Clinic admins can review all access logs and active sessions
  • Automatic session timeouts and forced re-authentication for sensitive actions
โ˜๏ธ

Infrastructure

  • Hosted on Google Cloud Platform (GCP) โ€” healthcare-grade infrastructure
  • Isolated PostgreSQL database instances โ€” your data never co-mingles
  • Automated daily backups with 30-day point-in-time recovery
  • 99.9% uptime SLA on all paid plans with status page at status.mealcircle.co
  • Load balancing and auto-scaling prevent service degradation under load
๐Ÿšจ

Incident Response

  • Dedicated security monitoring with automated anomaly detection
  • 72-hour breach notification policy per HIPAA requirements
  • Documented incident response runbook reviewed quarterly
  • Annual third-party penetration testing
  • Vulnerability disclosure program โ€” report issues to security@mealcircle.co
โš–๏ธ

Patient Data Rights

  • Patients can request a full export of their data at any time
  • Data deletion completed within 30 days of account closure
  • Clear data retention policies documented in our Privacy Policy
  • No PHI is ever sold, rented, or shared with third parties for marketing
  • De-identified aggregate analytics may be used to improve the platform

What this means for your practice

You don't need to become a HIPAA compliance expert. MealCircle is built so that using it correctly means being compliant. Your patient communication happens inside the platform. PHI stays encrypted. Every access is logged. Your BAA is signed on day one.

Do I need to sign a BAA?
Yes โ€” and we make it easy. Practice and Clinic plan customers get a BAA that covers MealCircle's role as your Business Associate. Available in your account settings.
Is WhatsApp messaging compliant?
No โ€” consumer messaging apps aren't HIPAA compliant. MealCircle's in-app messaging is encrypted end-to-end and covered by your BAA.
What about my patients' privacy?
Patients control their own data. They can request exports or deletion at any time. Only you and your practice can access their PHI.

Security questions?

Our security team is available for questions about compliance, BAAs, penetration test results, or anything else your IT or legal team needs.

Email security@mealcircle.co