Clinical-grade security, from day one.
HIPAA compliance isn't a checkbox we added later. It's baked into every layer — from database encryption to access control to audit logging.
Security at every layer.
HIPAA compliance
- Comprehensive HIPAA compliance program maintained across all systems
- Business Associate Agreements (BAAs) available on Practice plans, included on Clinic plans
- Regular security risk assessments and internal audits
- PHI access audit trail — every access to patient data is logged with user, timestamp, and action
- Staff training on HIPAA policies and secure data handling
Encryption
- All PHI encrypted at rest using AES-256 — the gold standard for healthcare data
- All data in transit protected with TLS 1.3
- Sensitive patient fields (diagnoses, clinical notes, biometrics) use column-level encryption
- Encryption keys managed via Google Cloud KMS with automatic rotation
- Encrypted backups stored separately from production systems
Authentication & access control
- Secure login via Firebase Authentication — no passwords stored in our database
- Role-based access control (RBAC) across provider, admin and support roles
- Providers only see their assigned patients — no cross-provider data leakage
- Clinic admins can review access logs and active sessions
- Automatic session timeouts and re-authentication for sensitive actions
Infrastructure
- Hosted on Google Cloud Platform (GCP) — healthcare-grade infrastructure
- Isolated PostgreSQL database instances — your data never co-mingles
- Automated daily backups with 30-day point-in-time recovery
- 99.9% uptime SLA on all paid plans
- Load balancing and auto-scaling prevent service degradation under load
Incident response
- Dedicated security monitoring with automated anomaly detection
- 72-hour breach notification policy per HIPAA requirements
- Documented incident response runbook reviewed quarterly
- Annual third-party penetration testing
- Vulnerability disclosure program — report issues to security@mealcircle.co
Patient data rights
- Patients can request a full export of their data at any time
- Data deletion completed within 30 days of account closure
- Clear data retention policies documented in our Privacy Policy
- No PHI is ever sold, rented, or shared with third parties for marketing
- De-identified aggregate analytics may be used to improve the platform
Using it correctly means being compliant.
You don't need to become a HIPAA expert. Patient communication happens inside the platform, PHI stays encrypted, every access is logged, and your BAA is signed on day one.
Do I need to sign a BAA?
Yes — and we make it easy. Practice and Clinic plan customers get a BAA that covers MealCircle’s role as your Business Associate, available in your account settings.
Is consumer messaging compliant?
No — consumer messaging apps aren’t HIPAA compliant. MealCircle’s in-app messaging is encrypted and covered by your BAA.
What about my patients’ privacy?
Patients control their own data. They can request exports or deletion at any time. Only you and your practice can access their PHI.
Security questions?
Our team can help with compliance, BAAs, penetration-test results, or anything your IT or legal team needs.