Compliance, in the open.

Healthcare technology requires real compliance investment. We document our program publicly so reviewers, partners, and customers can verify it without filing a ticket.

Vendor trust portal

Security questionnaires, policies, and compliance documentation for reviewers, partners, and customers.

Open trust.apivoc.com

HIPAA program

Hybrid Covered Entity / Business Associate. Documented policies, training, audit procedures, and breach response.

View HIPAA program →

Security program

Encryption, identity, access controls, monitoring, incident response. Detailed program documentation.

View security program →

Notice of Privacy Practices

HIPAA-required patient-facing notice published for Payor Systems, the family's Covered Entity function.

View notice →

Snapshot

Where the program stands today.

A high-level look at the foundation. The dedicated topic pages go deeper on each.

HIPAA structure

Hybrid CE/BA

Payor Systems is a Covered Entity. AmbiScript, SmartyRx, and Noventa operate as Business Associates.

BAA

Available

Business Associate Agreements available for partners and customers handling PHI.

Cloud

Microsoft Azure · US

Single tenant. US regions only. 100% Microsoft stack across the family of companies.

Identity

Microsoft Entra ID

MFA enforced. Role-based access control. No shared accounts. SSO across all systems.

Encryption

AES-256 / TLS 1.2+

AES-256-GCM at rest, TLS 1.2+ in transit. Key management via Azure Key Vault.

Breach response

60-day notification

BA breach notification to Covered Entity within 60 days per HIPAA requirements.