Security is infrastructure,
not a checkbox.
Business-associate obligations and safeguards are table stakes. We only claim certifications we actually hold. This page describes how the system handles PHI, who can access what, and how the discipline is enforced in practice — not in a slide deck.
Business-associate agreements on file with covered entities.
Bitewing operates under BAAs with the DSOs we serve. Our obligations under HIPAA / HITECH are explicit and enforceable — not implied, not hand-wavy. BAAs are signed before any ingestion begins.
- →Written BAAs with covered entities before any PHI touches our systems.
- →Scoped to the minimum data required for variance detection (no broader than necessary).
- →Breach-notification obligations spelled out in contract.
Least-privilege. Read-only by default.
We start read-only on EOBs, remits, and fee schedules. Engineers do not browse customer data on a whim. Access is scoped, logged, and reviewed — the audit trail is part of the product.
- →Role-based access controls; engineering access is break-glass only.
- →Per-customer data segregation; no co-mingling between tenants.
- →Every access event logged, timestamped, and attributable to a human.
PHI stays inside its tenant.
Personal health information does not leave the customer tenant except as needed for Bitewing to perform the contracted service. No cross-customer model training on PHI. No pooled datasets with third parties.
- →Per-tenant storage; isolated encryption keys where platform supports it.
- →De-identification applied before any cross-customer pattern learning.
- →Subprocessor list available on request.
Encrypted at rest and in transit.
Standard controls, actually enforced: AES-256 at rest, TLS in transit, key rotation, principle of least privilege, MFA on all administrative surfaces.
- →AES-256 at rest. TLS 1.2+ in transit. Key rotation per policy.
- →Administrative surfaces behind SSO with MFA required.
- →Backups encrypted; retention aligned to BAA.
"We're HIPAA compliant, trust us" is not an answer.
HIPAA is a baseline; compliance is continuous, not a certification you flash on a slide. We describe specific controls we operate, we give you the BAA, and we answer security questionnaires honestly — including where we are early and where we are still building. That posture is the only one this buyer should accept.
Where PHI lives, what we read, what we never take.
PHI stays inside your tenant boundary. Bitewing performs variance detection against read-only copies of EOBs, remits, and fee schedules required to do the contracted work — nothing broader. No cross-customer model training on PHI. No pooled datasets with third parties.
- →EOBs, remits, fee schedules
- →Patient, provider, date-of-service
- →Encrypted at rest · per-tenant keys
out of Bitewing
- →Per-tenant segregation · no co-mingling
- →De-identified before any cross-customer learning
- →Every access event logged to a human
Two ways to get the security package.
Our security posture, controls, subprocessor list, and incident-response plan are available under NDA. Request the questionnaire directly, or book a walkthrough and we'll send it before the call.