Security & Regulatory Compliance
This page provides an overview of our commitment to industry-leading security practices and our adherence to key regulatory frameworks.
1. Compliance Frameworks
1.1 Health Insurance Portability and Accountability Act (HIPAA)
- Scope: Protection of Protected Health Information (PHI)
- Key Requirements:
- Privacy Rule: Controls over use and disclosure of PHI
- Security Rule: Administrative, physical, and technical safeguards
- Breach Notification Rule: Timely notification in the event of a PHI breach
- Our Practices:
- Risk assessments & remediation plans
- Encryption of PHI at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access controls (RBAC) & least-privilege
- Regular security awareness training for all personnel
1.2 21 CFR Part 11 (Electronic Records & Signatures)
- Scope: U.S. FDA regulations governing electronic records and signatures for clinical trials and medical devices
- Key Requirements:
- System Validation: Ensure accuracy, reliability, and consistent performance
- Audit Trails: Secure, computer-generated time-stamped logs
- Electronic Signatures: Unique user IDs, signature manifestations, and controls to prevent repudiation
- Our Practices:
- Fully versioned audit logs with immutable timestamps
- Formal software validation lifecycle
- Multi-factor authentication (MFA) for accessing infrastructure and controls
- Documented change control and release management
2. Summary of Controls & Certifications
| Regulation / Standard | Certification / Status | Audit Frequency | Key Controls |
|---|---|---|---|
| HIPAA | Internal compliance program | Annual risk review | Encryption, RBAC, logging, training |
| 21 CFR Part 11 | Validated software processes | Annual re-validation | Audit trails, electronic signatures, system validation |
3. Continuous Improvement
- Regular Audits & Assessments: We engage third-party auditors and conduct internal reviews to validate our control environment.
- Security Roadmap: Ongoing enhancements to encryption standards, identity management, and threat detection.
- Training & Awareness: Quarterly security and compliance training for all employees.
4. Contact & Documentation
- Request Full Reports:
- HIPAA Security Risk Assessment summary
- 21 CFR Part 11 Risk Assessment summary
For any questions or requests for additional documentation, please reach out to Kerrick Cavanaugh (kerrick@neuropacs.com)
Last updated: June 23, 2025