Security and compliance
Nexession handles protected health information, so safety and evidence come first. The controls on this page are built into the design and exercised by the test suite. Where a control is planned rather than complete, we say so.
The fixed rules
These hold regardless of what any recognition method returns. They are enforced in the software, not left to configuration.
An order cannot be submitted until validation passes and a person confirms patient identity and every machine-read order detail. The check runs on the server and in the database, so it holds even if the application is bypassed.
Diagnosis, test, and provider codes are never inferred or converted into a billable code. An unclear mark is flagged for review rather than guessed, which protects the lab from submitting an order it did not intend.
A checkbox decision is tied to a region of the page and the exact measurement behind it, so a reviewer or auditor can reproduce the result by hand.
Each access to protected health information and each field edit is written with the person, the time, and the before and after value. The audit log is append only and cannot be edited or deleted by the application.
Controls
The first line of each item is in the design now. The second line is the path we follow as deployments scale and as customers require it.
Protected health information is encrypted in transit with TLS 1.2 or higher and at rest with AES-256 using customer managed keys.
Stronger option: column level encryption on the most sensitive fields with scheduled key rotation.Least privilege roles with multi-factor sign in. Reviewers, lead reviewers, administrators, and read only auditors each see only what their job requires.
Stronger option: single sign on with your identity provider and automated user provisioning.An append only audit records every access and edit. System logs carry identifiers only and never field values.
Stronger option: forward audit events to your monitoring system for alerting on unusual activity.Dependencies and secrets are scanned in the build, and the document intake is screened for malicious content before any reading happens.
Stronger option: an independent penetration test and continuous vulnerability scanning on a fixed schedule.A Business Associate Agreement is signed before protected health information flows, and every subcontractor that could touch it is covered by its own agreement.
Stronger option: a documented vendor review and a published list of subprocessors.Each record is kept for the longest period required by CLIA, HIPAA, and state law. Deletion is never automatic, and each deletion is itself a recorded event.
Stronger option: a per customer retention schedule agreed in writing during setup.Standards
We describe our standing accurately. HIPAA has no certificate to display, so we map our controls to the rule. SOC 2 is an independent audit we are working toward rather than one we claim today.
The 2025 HIPAA Security Rule update was proposed in January 2025 and has not been finalized. Nexession already aligns with its main proposals, including required encryption, multi-factor sign in, and a yearly compliance review.
CLIA quality evidence
Entering a requisition into the LIS is regulated transcription. Because Nexession performs that step, it produces the accuracy evidence a surveyor expects, instead of leaving the lab to assemble it later.
Every delivered message is linked to the source image, and every field records its source. The result is a clear path from the order in the LIS back to the exact part of the scanned form it came from.
The agreement path
Work begins on synthetic and de-identified material. No protected health information is needed to start.
The agreement is signed during setup, on your paper or ours, before any real data is processed.
The cloud provider, the fax vendor, and any recognition service are each covered by their own agreement before data reaches them.
Breach notification with state additions, no use of protected health information to train shared models, and audit rights for the lab.
We would rather answer hard questions early. Start with a non disclosure agreement and synthetic data, with no protected health information required.
Healthcare regulatory counsel signs off before any deployment processes real orders. Accuracy figures referenced across this site come from a synthetic test set and are not pilot or production results.