Security & Compliance

HIPAA-compliant data protection and healthcare interoperability

---

HIPAA Compliance

Turtle RCM is designed from the ground up to meet HIPAA (Health Insurance Portability and Accountability Act) requirements for protecting patient health information.

Core Security Principles

🔒 One Database Per Clinic

Complete data isolation is achieved through separate databases:

• Each clinic has its own dedicated database instance
• No shared data between clinics
• Impossible for API spoofing to access another clinic's data
• Database-level security (not just application-level)

Technical Implementation:

• User authentication maps to correct clinic database
• Frontend never knows or controls which database to access
• Backend automatically routes based on JWT token claims
• Each database can be backed up/restored independently

HIPAA Security Rule Compliance

Administrative Safeguards:

• ✅ Role-based access control (RBAC)
• ✅ Unique user identification (username + password)
• ✅ Automatic log-off after inactivity
• ✅ Emergency access procedures (admin override)
• ✅ Audit controls and monitoring

Physical Safeguards:

• ✅ Encrypted data at rest
• ✅ Encrypted data in transit
• ✅ Secure data center facilities
• ✅ Workstation security guidelines
• ✅ Device and media controls

Technical Safeguards:

• ✅ Access control (authentication & authorization)
• ✅ Audit logs (all data access recorded)
• ✅ Integrity controls (validation and verification)
• ✅ Transmission security (HTTPS)
• ✅ Strong encryption mechanisms

---

Authentication & Access Control

Secure Authentication

Turtle RCM uses industry-standard authentication with secure tokens:

How It Works:

1. User logs in with username/password
2. Password verified using industry-standard secure hashing
3. Server generates secure authentication token
4. Frontend stores token securely
5. All API requests include token for verification

Security Features:

• Short-lived tokens: Access tokens expire after 1 hour
• Refresh tokens: Automatic renewal without re-login (7 days)
• Tamper-proof: Cryptographically signed to prevent modification
• Clinic isolation: System automatically routes to correct clinic database

Account Protection

Failed Login Protection:

• 5 failed attempts → 15-minute account lockout
• Automatic lockout reset on successful login
• Failed attempts tracked in central registry
• Admin notification on repeated lockouts

Password Requirements:

• Minimum 8 characters
• Industry-standard secure hashing with automatic salts
• Never stored or transmitted in plain text
• Password change requires old password verification

Role-Based Access Control (RBAC)

Three user roles with different permissions:

Role	Permissions
Admin	Full access: user management, system config, all clinical/billing features
Doctor	Clinical access: patients, sessions, documentation, coding (read-only)
Biller	Billing access: claims, coding, reports, limited patient info

Access Enforcement:

• Checked at API level (not just UI)
• JWT token contains user role
• Unauthorized requests return 403 Forbidden
• Audit log records access denials

---

Data Protection

Encryption

Data at Rest:

• Database: Industry-standard encryption
• File storage: Encrypted
• Backup archives: Encrypted before storage
• Key management: Secure key management system

Data in Transit:

• HTTPS only with modern encryption protocols
• Certificate from trusted certificate authority
• Perfect forward secrecy enabled
• Strict transport security enforced

Data Backup & Recovery

Backup Strategy:

• Frequency: Daily incremental, weekly full
• Retention: 30 days rolling, 1 year annual
• Location: Off-site in separate GCP region
• Encryption: All backups encrypted at rest
• Testing: Monthly restore validation

Disaster Recovery:

• RTO (Recovery Time Objective): < 4 hours
• RPO (Recovery Point Objective): < 24 hours
• Failover: Automatic to backup region
• Data integrity: Checksums verified on restore

---

Data Safe Harbor

🛡️ HIPAA Safe Harbor De-Identification

Our Data Safe Harbor module ensures AI training data is properly de-identified according to HIPAA Safe Harbor method (§164.514(b)(2)).

Removes all 18 HIPAA Identifiers:

1. Names (patient, relatives, employers)
2. Geographic subdivisions smaller than state
3. All elements of dates (except year) related to an individual
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (fingerprints, voiceprints)
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code

De-Identification Process

Step 1: Data Extraction

• Raw clinical data collected from production database
• Only necessary fields extracted
• Extraction logged and monitored

Step 2: Identifier Removal

• Automated scrubbing of all 18 HIPAA identifiers
• Name Entity Recognition (NER) for free-text fields
• Date shifting (preserving intervals, removing absolutes)
• Geographic truncation (state-level only)

Step 3: Tokenization

• Names replaced with random tokens (e.g., "Patient_A7F3")
• Locations replaced with random state codes
• Tokens are one-way (cannot reverse to original)
• No key exists to re-identify data

Step 4: Aggregation

• Data combined across multiple clinics (minimum 5)
• Small cell sizes suppressed (< 10 patients)
• Statistical disclosure control applied

Step 5: Isolation

• De-identified data stored in separate database
• No network connection to production databases
• Access restricted to ML training processes only
• All access logged to GCP audit trail

Safe Harbor Guarantees

• ✅ Cannot re-identify: No keys or mappings exist
• ✅ Isolated storage: Separate from production data
• ✅ Audit trail: All access logged
• ✅ No 3rd party access: De-identification happens in-house
• ✅ Compliant: Meets HIPAA Safe Harbor requirements

---

42 CFR Part 2 Compliance

For substance use disorder (SUD) treatment records, Turtle RCM implements stricter protections required by 42 CFR Part 2:

Enhanced Protections

Consent Management:

• SUD records flagged automatically
• Explicit consent required for disclosure
• Consent forms tracked and stored
• Consent can be revoked at any time

Access Controls:

• SUD flag limits data visibility
• Requires specific permission to view
• Cannot be included in general releases
• Separate audit log for SUD access

Disclosure Rules:

• Patient consent required for each disclosure
• Cannot be disclosed pursuant to court order (except specific circumstances)
• No general consent for "treatment, payment, operations"
• Requires specific written consent

Implementation

When a patient record is marked as SUD treatment:

1. System automatically applies 42 CFR Part 2 flag
2. Additional consent forms presented
3. Access restricted even within clinic
4. Separate audit trail maintained
5. Automatic expiration of consent (per patient specification)

⚠️ Important: 42 CFR Part 2

If your clinic treats substance use disorders, ensure all staff are trained on 42 CFR Part 2 requirements. These protections are stricter than HIPAA and violations carry federal criminal penalties.

Consult with legal counsel for compliance guidance.

---

FHIR & Healthcare Interoperability

🏥 HL7 FHIR R4 Compliance

Turtle RCM implements the HL7 FHIR R4 (Fast Healthcare Interoperability Resources) standard for exchanging healthcare data electronically.

Supported FHIR Resources:

• Patient - Demographics and identifiers
• Practitioner - Provider information
• Organization - Clinic and payer details
• Coverage - Insurance information
• ServiceRequest - Planned/requested services
• Condition - Diagnoses (ICD-10)
• Claim - Insurance claims (CMS-1500)
• ClaimResponse - Prior authorization results
• DocumentReference - Clinical notes and assessments

Da Vinci Implementation Guides

Turtle RCM follows the Da Vinci Project implementation guides for burden reduction:

1. Coverage Requirements Discovery (CRD)

• Purpose: Automatically determine if prior authorization is needed
• How: Queries payer systems when appointment is scheduled
• Benefit: Prevents claim denials for missing auth

2. Documentation Templates & Rules (DTR)

• Purpose: Pre-fills prior auth forms with clinical data
• How: Maps patient/session data to payer questionnaires
• Benefit: Reduces manual data entry, fewer errors

3. Prior Authorization Support (PAS)

• Purpose: Submits prior auth requests electronically
• How: Creates FHIR Claim resource and sends to payer API
• Benefit: Faster processing, real-time status updates

FHIR Security

Authentication:

• Industry-standard secure authentication
• Secure token exchange with payer systems
• Scoped access based on need-to-know

Authorization:

• Access controls limit data sharing
• Payer-specific permissions enforced
• Audit logging of all FHIR transactions

Data Exchange:

• Encrypted transmission
• Data integrity verification
• Validation against FHIR standards
• Error handling and logging

---

Audit Logging

📋 Comprehensive Audit Trail

All user actions involving patient data are logged for HIPAA compliance and security monitoring.

Logged Actions:

• User authentication (login, logout, failed attempts)
• Patient data access (view, create, edit, delete)
• Clinical documentation access
• Claim submission and modification
• Safe Harbor data access (AI training)
• User management actions (by admins)
• System configuration changes

Audit Log Contents

Each log entry contains:

• Timestamp: Exact date/time of action
• User: Who performed the action
• Clinic: Which clinic database (for multi-clinic support)
• Action: What was done (view, edit, delete, etc.)
• Resource: What data was accessed (patient ID, claim ID, etc.)
• IP Address: Source of the request
• Result: Success or failure
• Details: Additional context (e.g., error messages)

Log Retention

• Duration: 6 years (HIPAA requirement)
• Storage: Secure cloud logging system
• Access: Admin-only, read-only
• Export: CSV/JSON format available
• Integrity: Tamper-proof with cryptographic verification

Phase 2: Advanced Analytics

Future capabilities:

• Anomaly detection: Unusual access patterns
• Compliance reports: Who accessed what, when
• Performance metrics: System usage statistics
• Alerting: Automated notifications for security events

---

Incident Response

Security Incident Procedures

If a security incident is suspected:

1. Immediate Actions:

• Report to clinic administrator immediately
• Do not attempt to investigate yourself
• Preserve evidence (don't delete logs, emails, etc.)
• Document what you observed

2. Administrator Actions:

• Contact Turtle RCM support immediately
• Change affected user passwords
• Review audit logs for unauthorized access
• Notify affected patients if required (HIPAA Breach Notification)

3. Required Notifications:

• < 500 patients affected: Notify within 60 days
• ≥ 500 patients affected: Notify HHS and media within 60 days
• Ongoing incidents: Notify as soon as incident is discovered

Breach Notification

HIPAA requires notification if:

• Unauthorized access to PHI
• PHI disclosed without authorization
• PHI lost or stolen
• PHI improperly disposed

Exceptions (no notification required):

• Unintentional access by workforce member
• Inadvertent disclosure within organization
• Good faith belief that unauthorized person could not have retained the information

---

Security Best Practices for Users

Protect Your Account

• ✅ Use a strong, unique password
• ✅ Never share your password
• ✅ Log out when leaving workstation
• ✅ Enable automatic screen lock
• ✅ Report suspicious activity immediately

Protect Patient Data

• ✅ Only access data you need for your job
• ✅ Don't discuss patients in public areas
• ✅ Don't email PHI without encryption
• ✅ Verify patient identity before disclosing information
• ✅ Shred printed records when no longer needed

Workstation Security

• ✅ Keep software updated
• ✅ Use antivirus software
• ✅ Don't install unauthorized software
• ✅ Don't use personal devices for patient data
• ✅ Report lost/stolen devices immediately

---

Compliance Certifications & Audits

Current Status

Phase 1 (Current):

• ✅ HIPAA Security Rule implementation
• ✅ HIPAA Privacy Rule implementation
• ✅ FHIR R4 conformance
• ✅ Da Vinci IG compliance

Phase 2 (Planned):

• 🔜 Third-party security audit
• 🔜 HITRUST CSF certification
• 🔜 SOC 2 Type II audit
• 🔜 Penetration testing

External Security Audit

Before full production release, Turtle RCM will undergo:

• Independent security assessment by healthcare security expert
• Penetration testing by certified ethical hackers
• HIPAA compliance review by privacy attorney
• Remediation of any findings

---

Questions & Support

Common Security Questions

Q: How is my password stored?
A: Passwords are securely hashed using industry-standard cryptographic methods with automatic salts. We cannot see your password.

Q: Can Turtle RCM staff access my clinic's data?
A: No. Each clinic's database is isolated and requires separate authentication. Turtle RCM support cannot access production data without explicit authorization and audit trail.

Q: What happens if I forget my password?
A: Contact your clinic administrator to reset it. (Phase 2 will add self-service password reset via email.)

Q: How do I report a security concern?
A: Contact your clinic administrator immediately, or email security@turtlercm.com (monitored 24/7).

Q: Is Turtle RCM HIPAA certified?
A: There is no official "HIPAA certification." Turtle RCM implements HIPAA Security and Privacy Rules as required by law.

---

💡 Need Help?

For questions, support, or feedback:
💬 Join our Discord community (primary forum): discord.gg/SwE7zq8fbF
🐙 GitHub: @ab1nash
💡 Submit feedback through the platform's feedback button

---

⚠️ Security is Everyone's Responsibility

HIPAA compliance requires participation from all users. Follow security best practices, report concerns promptly, and protect patient privacy in everything you do.

When in doubt, ask! Contact your administrator with any security questions.

---

Last updated: November 2025 | Security Policy Version 1.0