Health-Grade Security You Can Trust

HITRUST, SOC 2, ISO 27001, plus HIPAA-aligned safeguards to protect PHI across real operational workflows.

OVERVIEW

Security built for healthcare workflows, not just checklists

Providers adopt platforms, automation, AI, and outsourced services to increase throughput. Security only works when it is designed for how PHI actually moves across integrations, queues, portals, documents, and teams.

Unlike point solutions or outsourced delivery models that leave customers stitching together controls, Infinx provides a unified security posture across platform, integrations, and services, backed by audits and continuous security operations.

THE RISK

Why security gets missed when adopting new technology or outsourcing

New technology and outsourced execution can create hidden risk when controls are not verified and tied to the actual operating model.

Common failure points include:

Unclear data residency and cross border handling, which slows procurement and can block deployment
Over permissioned access for vendor teams or contractors
Portal credentials and attachments handled outside governed systems
Missing audit trails for who accessed PHI and what actions were taken
Vulnerabilities that persist because patching and monitoring are not operationalized
AI uncertainty, especially around training data, retention, and processing location

Infinx is designed to reduce these risks with validated controls, clear scoping, and continuous security operations aligned to your deployment model.

COMPLIANCE AND ASSURANCE

Independent validation for healthcare environments

Security reviews move faster when your team can anchor on recognized frameworks. Infinx maintains independent audits, certifications, and assessments that validate how security controls are designed and operated.

Recognized validations include:

HITRUST certification, aligned to the HITRUST CSF framework
SOC 2 report covering Trust Service Category, Security
ISO/IEC 27001 certification for our information security management system (ISMS)
HIPAA control design and implementation assessment performed by third party auditor

Security documentation is shared during the sales process as part of a qualified evaluation.

MANAGED SECURITY

Controls that stay current over time

Security posture is not static. Cloud providers change, new vulnerabilities emerge, and workflows evolve as you add locations, specialties, and automation.

Infinx supports ongoing security operations as part of Healthcare Revenue Cloud, including continuous monitoring, vulnerability management, and control upkeep that helps maintain audit readiness as your use of the platform expands.

What ongoing security operations include:

Portal credentials and attachments handled outside governed systems
Missing audit trails for who accessed PHI and what actions were taken
Vulnerabilities that persist because patching and monitoring are not operationalized
AI uncertainty, especially around training data, retention, and processing location

HIPAA ALIGNMENT

Built to protect PHI in regulated workflows

Infinx operates as a Business Associate and is expected to comply with applicable HIPAA requirements related to the Security Rule, Breach Notification Rule, and Privacy Rule to protect PHI and ePHI.

HIPAA expectations we align to:

Independant auditor verified and tested HIPAA controls designed and implemented at Infinx for the defined audit period
Results include applicable controls across Security, Breach, and Privacy domains

We tailor the discussion to your scope, including integrations, workflows, and data flows.

DATA RESIDENCY

Where PHI is stored and processed

Healthcare organizations need clarity on residency and cross-border handling. For scoped services, Infinx supports U.S.-based hosting for application environments, and we align access to what is minimally necessary to deliver the service. “Scoped” refers to the specific products, integrations, and operating model (platform-only vs platform + services) included in your engagement.

Residency and handling principles:

Data is processed and stored within the application environment hosted in the United States for the scoped service
Infinx will not store customer data outside of the US
Offshore Infinx staff may access data for permitted work, but do not store it outside of the US
AI processing is performed on U.S.-based servers

Your Infinx team will walk through the hosting model and data flow that applies to your specific solution scope.

ACCESS CONTROL

Strong authentication and least-privilege access

Access is one of the most common paths to risk. Infinx uses layered identity controls to reduce the likelihood of unauthorized access to systems and customer data.

Access protections:

Multi-factor authentication (MFA) across systems
MFA is supported and can be enforced; privileged/admin access requires MFA.
Role-based access controls (RBAC), enforced with MFA and least-privilege principles

We align access controls to roles, responsibilities, and workflow needs, then audit access through logging and monitoring.

ENCRYPTION AND DATA PROTECTION

Protecting data in transit and at rest

Infinx applies encryption and operational controls to help protect confidentiality and reduce exposure across common threat paths.

Data safeguards:

TLS 1.2 and above over HTTPS for data in transit
AES-256 encryption for data at rest within product infrastructure
Policies and controls that prohibit local storage on laptops, thumb drives, or other portable media
Regular backups as part of comprehensive data protection

These safeguards help protect PHI while keeping operational throughput and day-to-day usability intact.

ONGOING SECURITY OPERATIONS

Monitoring, testing, and continuous upkeep

Security is ongoing. Infinx continuously reviews risk signals, tests controls, and addresses vulnerabilities to reduce the chance that issues persist undetected.

How we manage ongoing risk:

Proactive review of updates from external providers and risk assessors to identify and patch vulnerabilities
Periodic network and infrastructure testing to identify and resolve critical vulnerabilities
Regular application vulnerability scans using industry-standard tools and methodologies (requirements reflected in customer security terms)

This operational discipline helps shorten detection time and supports consistent remediation and audit readiness.

INCIDENT RESPONSE

Prepared to respond, resolve, and recover

Even with strong controls, risk can never be zero. Infinx maintains an incident management process designed to support rapid response and continuous posture review.

Response readiness includes:

A documented incident management process for response, resolution, and recovery
Continuous monitoring and periodic reviews of security posture
HIPAA breach notification expectations included in the HIPAA assessment context

We align incident communication and notification expectations to your vendor risk process and contract terms.

AI AND DATA USE

Customer PHI is not used for AI model training

When AI is involved, buyers want a direct answer on training data. For relevant solutions, Infinx does not use customer-provided PHI for model training, and relies on synthetic and sample documents for testing and prompt tuning.

AI data boundaries:

Customer PHI is not used for AI model training
Testing uses synthetic and sample documents, not customer faxes
Retention is tied to operational needs and contractual scope
AI processing location is confirmed during solution scoping

For your implementation, we clarify what AI features are in scope, where processing occurs, and what is retained operationally.

RELIABILITY AND CONTINUITY

Designed to keep workflows running

Healthcare operations need predictable service and a plan for downtime. Infinx supports defined uptime expectations and operational continuity processes for covered services.

Continuity measures:

99% uptime SLA for the platform in scope
During downtime, data is securely queued until service resumes, helping prevent data loss
Post-incident RCA reporting with corrective actions

We review continuity requirements during scoping, based on workflow criticality and your internal SLAs.

INFRASTRUCTURE AND SUBSERVICE PROVIDERS

Cloud infrastructure with monitored subservice controls

Infinx leverages major cloud platforms and monitors relevant subservice assurance as part of the broader control environment.

Infrastructure assurances:

AWS is used for hosting product infrastructure
Microsoft Azure is used for hosting IT infrastructure
Subservice compliance is monitored through annual SOC assessment reports or ISO 27001 certifications for AWS and Azure

This helps maintain alignment between Infinx controls and the controls operated by critical infrastructure providers.

GLOBAL DELIVERY MODEL

Onshore and offshore operations, governed by controls

Infinx operates globally, and security governance is applied across locations and functions included in assurance scope. The HIPAA assessment scope includes locations in the US, India, and the Philippines.

How delivery is governed:

HIPAA assessment scope includes locations across India, plus Houston and California in the US, and Manila in the Philippines
For scoped services, offshore staff may access data for permitted work, but do not store it outside of the US
Access is restricted to authorized personnel and controlled through RBAC, MFA, and activity monitoring
Onshore-only delivery can be scoped for select workflows, based on your policy requirements and the services in scope

We work with your team to align delivery model requirements to policy, workflow, and contractual constraints, and to confirm whether onshore-only staffing is needed for your evaluation.

HOW SECURITY REVIEW WORKS

Built for procurement and vendor risk teams

Security reviews are most productive when scoped to your deployment, integrations, and operating model. We support structured security questionnaires and walk through controls that apply to your use case.

How we keep reviews efficient:

We align on scope early, platform only vs platform plus services
We map residency, encryption, access controls, and monitoring to your workflow
We review the relevant assurance artifacts with your team during the sales process
We confirm customer responsibilities and complementary controls as part of implementation planning

This approach keeps reviews efficient and ensures the answers match what is actually in scope for your evaluation.

Faq

Quick answers for common security questions

Below are high-level answers. For a full review, schedule a security conversation.

Do you have third-party security validation?

Yes. Infinx maintains independent assurance, including HITRUST certification, SOC 2 Type II reporting, and ISO 27001 certification. We also complete HIPAA-aligned assessments.

Are you HIPAA compliant, and will you sign a BAA?

Infinx operates as a Business Associate for covered workflows and supports a Business Associate Agreement as part of contracting.

Where is PHI stored?

For scoped services, PHI is processed and stored in the United States within the application environment, and is not stored outside the US.

Do you have onshore and offshore operations, and can you support onshore-only?

Yes, Infinx operates with teams onshore and offshore, governed by security controls. Onshore-only delivery can be scoped for select workflows based on your policy requirements and services in scope.

Is PHI encrypted in transit and at rest?

Yes. Infinx uses TLS (HTTPS) for data in transit and AES-256 encryption for data at rest for scoped services.

How do you control access to systems and PHI?

Access is restricted to authorized personnel and controlled through role-based access, multi-factor authentication, and activity monitoring.

How do you monitor for threats and vulnerabilities?

Infinx uses monitoring and security operations practices including vulnerability scanning, third-party testing, and patching processes to identify and remediate issues.

Do you perform penetration tests or third-party security assessments?

Yes. Third-party vulnerability assessments and penetration testing are performed, and remediation is tracked to closure.

What is your incident response process and notification approach?

Infinx maintains a documented incident management process for response, resolution, and recovery. Notification and communication follow contractual obligations, including BAA terms when applicable.

Do you use customer PHI to train AI models?

No. For AI-enabled workflows, customer PHI is not used for AI model training. Data retention is contract-based and aligned to the operational workflow.

Talk through your security requirements

If you are evaluating Infinx, we can walk through the controls that apply to your scope, confirm residency and access requirements, and align on the documentation your team needs during procurement. If you are already working with an Infinx representative, reach out to them directly to coordinate the review.

Request A Demo

Patient Access

HIM & Medical Coding

Revenue Integrity

Medical Billing

Revenue Acceleration

Healthcare Contact Center

Revenue Cycle Agent Platform

Full Service RCM Optimization

Healthcare Revenue OS

Revenue Cycle Agent Platform

Document Capture Plus Platform

Patient Access Plus

A/R & Denials Management (ARDM) Platform

EMR, EHR, PMS, LIS, RIS Integrations

Payer, Clearinghouse & Benefit Manager Connections

Security & Compliance

Custom Solutions

Tackling RCM Challenges Unique To Specific Specialties

Ambulatory Surgery Centers (ASC)

Acute Care Hospitals

Rural Hospitals

Physician Groups

LTC Pharmacies

Dental Practices

ROI Assessment Tools

Webinars

How We Help Our Clients

Articles

White Papers

Revenue Cycle Optimized Podcast

Free Tools

Trade Shows

Weekly Office Hours

Our Mission

Careers

Our Partners

Our Results

Media