How Rooted Health encrypts PHI in transit, at rest, on endpoints, and in messaging — and the cryptographic standards we require of vendors.
Currently in effect: v3.0
Effective 2026-05-13 — Added explicit TLS 1.2 minimum and HSTS preload requirement.
Current policy (v3.0)
All connections to the patient portal, intake, telehealth, and internal admin tools must use TLS 1.2 or higher. HSTS is enforced on rootedhealthmember.com with a 12-month max-age and preload.
Databases, file storage, and backups containing PHI are encrypted at rest using AES-256. Encryption keys are managed by our HIPAA-eligible cloud provider and rotated on a documented schedule.
Workforce devices used to access PHI require full-disk encryption, automatic screen lock, and remote-wipe capability. Email containing PHI is sent through a HIPAA-eligible encrypted channel under a Business Associate Agreement.
Change history
Each revision is preserved for transparency. Older versions describe the practices in place at the time they were effective.
- v3.0Current
Added explicit TLS 1.2 minimum and HSTS preload requirement.
- Set TLS 1.2 as the minimum for all public endpoints (was 'modern TLS').
- Required HSTS with preload for rootedhealthmember.com.
- Documented AES-256 at rest for backups in addition to primary databases.
- v2.0
Required full-disk encryption on all clinician laptops and phones.
- Mandated FileVault / BitLocker on all clinician devices.
- Required mobile device management (MDM) enrollment for any device touching PHI.
- v1.0
Initial published policy.
← Back to Security overview · Questions about this policy? Contact privacy@rootedhealthmember.com or use our security contact page.