Security & Patient Data Protection

Protecting your health information is foundational to the care we provide. This page summarizes the administrative, technical, and physical safeguards Rooted Health uses to keep your protected health information (PHI) confidential, and explains how you can exercise your rights to access or amend your record.

Encryption

Versioned policy: Encryption Standards (v3.0, with change history)

In transit. All connections to our patient portal, intake forms, telehealth visits, and internal systems use TLS 1.2 or higher. Public traffic is served over HTTPS with HSTS enforced.
At rest. Databases, file storage, and backups containing PHI are encrypted at rest using AES-256. Encryption keys are managed by our cloud provider and rotated on a documented schedule.
Endpoints. Clinician laptops and mobile devices used to access PHI require full-disk encryption, automatic screen lock, and remote-wipe capability.
Email & messaging. Patient messaging occurs inside the secure portal. When email is used for PHI, it is sent through a HIPAA-eligible, encrypted channel under a Business Associate Agreement (BAA).

Access controls

Versioned policy: Access Controls & Authentication (v2.1, with change history)

Least privilege. Workforce members are granted the minimum access required for their role. Access is reviewed at onboarding, role change, and at least annually.
Authentication. All staff accounts require strong passwords and multi-factor authentication (MFA). Patient accounts support strong passwords, optional MFA, and session timeouts.
Role-based permissions. Clinical, billing, and administrative functions are separated. Vendors with PHI access operate under a signed BAA.
Termination. Access is revoked the same business day a workforce member departs or changes roles.
Network & device hygiene. Production systems sit behind firewalls with restricted inbound access. Anti-malware, automatic patching, and centralized logging are enforced on managed devices.

Audit logs & monitoring

Versioned policy: Audit Logging & Monitoring (v1.2, with change history)

Access auditing. Our electronic health record and portal log every view, create, update, export, and login event tied to a user identity and timestamp.
Retention. Audit logs are retained for at least six (6) years consistent with HIPAA §164.316(b)(2) and reviewed routinely for anomalous activity.
Incident response. Suspicious access triggers investigation by our Privacy & Security Officer. Confirmed breaches of unsecured PHI are reported to affected individuals, HHS Office for Civil Rights, and (where required) the media within the timeframes required by the HIPAA Breach Notification Rule.
Vulnerability management. We perform regular vulnerability scanning, dependency monitoring, and periodic risk analyses under HIPAA §164.308(a)(1)(ii)(A).

Workforce training & vendor oversight

Versioned policy: Vendor Oversight & BAAs (v2.0, with change history)

All workforce members complete HIPAA privacy and security training at hire and annually thereafter.
Subprocessors that touch PHI (EHR, hosting, payments, telehealth, e-prescribing, lab interfaces) sign a Business Associate Agreement before any data is shared.
We maintain written policies for sanctions, contingency planning, data backup, and disaster recovery.

Requesting access to your PHI

Under HIPAA §164.524 you have the right to inspect and obtain a copy of your designated record set, including most clinical, billing, and lab records we maintain.

How to request. Send a written request to privacy@rootedhealthmember.com or through the secure message function in your patient portal. Include your full name, date of birth, the records you want, the format you prefer (electronic or paper), and the delivery method (portal download, encrypted email, or mail).
Timing. We will act on your request within 30 calendar days. If we need more time, we will notify you in writing and complete the request within an additional 30 days.
Format. Records are provided in your requested electronic format when readily producible; otherwise in a mutually agreed format.
Fees. We may charge a reasonable, cost-based fee for copies, postage, and any requested summary, consistent with HIPAA and Arkansas law. Electronic copies delivered through the portal are typically provided at no charge.
Identity verification. We will verify your identity (and, for personal representatives, legal authority) before releasing records.

Requesting an amendment to your PHI

Under HIPAA §164.526 you may request that we amend information in your record that you believe is inaccurate or incomplete.

How to request. Submit a written amendment request to privacy@rootedhealthmember.com identifying the specific information you believe is incorrect and the reason supporting the change.
Response. We will respond within 60 days. If we need more time we may extend once by 30 days with written notice.
If approved. We will amend the record, notify you, and make reasonable efforts to inform others you identify who need the corrected information.
If denied. We will provide a written denial explaining the reason, your right to submit a written statement of disagreement, and your right to file a complaint. Your statement of disagreement (and any rebuttal) becomes part of your record.

Other rights

You may also request restrictions on certain uses or disclosures, confidential communications, an accounting of disclosures, and breach notifications. See our HIPAA Notice of Privacy Practices for the full description of your rights.

Security FAQ

Is my health information encrypted?

Yes. All traffic between your browser and our portal uses TLS 1.2 or higher with HSTS enforced, and every database, file, and backup containing PHI is encrypted at rest with AES-256. Encryption keys are managed by our HIPAA-eligible cloud provider and rotated on a documented schedule.

Where is my data stored, and does it ever leave the United States?

Patient data and backups are stored in U.S.-region data centers operated by HIPAA-eligible cloud infrastructure providers under a signed Business Associate Agreement (BAA). We do not route PHI through non-U.S. regions for routine processing.

Who at Rooted Health can see my chart?

Only workforce members with a clinical, billing, or administrative reason to access your record can do so, on a least-privilege basis. Roles for clinical, billing, and administrative access are separated, reviewed at onboarding, role change, and at least annually, and revoked the same business day someone leaves or changes roles.

How do you log and review who accessed my record?

Every view, create, update, export, and login event in our EHR and patient portal is tied to a specific user identity and timestamp. Logs are retained for at least six (6) years per HIPAA §164.316(b)(2) and are reviewed routinely for anomalous activity. You can request an accounting of disclosures at any time.

Do staff and patient accounts require multi-factor authentication (MFA)?

All staff accounts require MFA. Patient accounts support MFA — we strongly recommend turning it on from the Privacy & security section of your portal. All accounts use strong password requirements and automatic session timeouts.

What happens if a staff laptop or phone is lost or stolen?

Devices used to access PHI must run full-disk encryption, automatic screen lock, and remote-wipe tooling. Workforce members are required to report lost or stolen devices immediately, and our Privacy & Security Officer initiates remote wipe and access revocation as part of incident response.

Which vendors have access to my data, and do they sign BAAs?

Any subprocessor that touches PHI — our EHR, hosting and database provider, payment processor, telehealth platform, e-prescribing, lab interfaces, and secure messaging — signs a Business Associate Agreement before any data is shared. Marketing and analytics tools that could touch PHI are either configured to exclude PHI or are not used. A current list of categories of business associates is available on request to privacy@rootedhealthmember.com.

How is payment information handled?

Card data is collected and stored by our PCI-DSS-compliant payment processor (Stripe) — Rooted Health servers never see or store full card numbers. The processor operates under a BAA and uses tokenization so we can charge your saved payment method without handling the underlying card details.

Do you sell my data or use it to train AI models?

No. We do not sell PHI, and we do not allow vendors to use PHI to train general-purpose AI models. Where AI features are used internally (for example, document summarization or coding assistance), they run through HIPAA-eligible providers under a BAA, with prompts and outputs subject to the same access controls and audit logging as the rest of your record.

How do you test for vulnerabilities?

We run regular vulnerability scanning, automated dependency monitoring, and periodic risk analyses under HIPAA §164.308(a)(1)(ii)(A). Independent researchers are welcome to submit findings — see our security contact page for responsible-disclosure guidelines and response-time SLAs.

What if you experience a data breach?

Confirmed breaches of unsecured PHI are investigated by our Privacy & Security Officer and reported to affected individuals, HHS Office for Civil Rights, and (where required) the media within the timeframes required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

How do I report a concern or suspected vulnerability?

Email security@rootedhealthmember.com or use the security contact page, which lists every channel, what to include, and the exact response-time targets you can expect from us.

Filing a complaint

If you believe your privacy or security rights have been violated, contact our Privacy & Security Officer at privacy@rootedhealthmember.com or use our dedicated security contact page for vulnerability reports and response-time SLAs. You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights, 200 Independence Ave SW, Washington, DC 20201, 1-877-696-6775, hhs.gov/ocr. We will not retaliate against you for filing a complaint.