Compliance.

IntakeBella is fully compliant with the Health Insurance Portability and Accountability Act. All protected health information (PHI) is handled in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Our infrastructure and operations meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy as defined by the AICPA.

All stored documents, extracted text, structured data, and patient information are encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

Every connection to IntakeBella — API calls, dashboard sessions, webhook deliveries, and data transmissions — is secured with TLS 1.3. No data travels unencrypted.

Access to patient data and system functions is controlled through role-based permissions: Owner, Admin, Member, and Viewer. Each role has clearly defined capabilities, and access can be revoked instantly.

Every action in IntakeBella is logged: views, downloads, routing decisions, setting changes, login events, and API calls. Audit logs are immutable, timestamped, and retained for the full data retention period.

Documents are retained for 10 years after the last customer activity, meeting or exceeding HIPAA retention requirements. Data is only purged 10 years after explicit deletion or account inactivity.

Enterprise customers receive a 99.9% uptime service level agreement. Our infrastructure runs on redundant, geographically distributed systems with automatic failover.

Our incident response team monitors system health continuously. In the event of a security incident, our breach notification process activates immediately per HIPAA requirements.

Every incoming intake is automatically scanned for protected health information. PHI is tagged, classified by HIPAA category (clinical, billing, administrative), and access-level restricted before any human views it.

Each customer's data is logically isolated. No cross-tenant data access is possible. API keys, session tokens, and webhook secrets are unique per organization.

IntakeBella provides a signed BAA to every customer. Our BAA covers all data processing, storage, and transmission activities performed by the platform.