Security and compliance

Security is the product, not a feature of it.

Nexession handles protected health information, so safety and evidence come first. The controls on this page are built into the design and exercised by the test suite. Where a control is planned rather than complete, we say so.

A controlled clinical laboratory environment PHI handled with careFrom the first byte

The fixed rules

Four guarantees that do not depend on a model.

These hold regardless of what any recognition method returns. They are enforced in the software, not left to configuration.

01

Nothing submits on its own.

An order cannot be submitted until validation passes and a person confirms patient identity and every machine-read order detail. The check runs on the server and in the database, so it holds even if the application is bypassed.

02

Order content is transcribed only.

Diagnosis, test, and provider codes are never inferred or converted into a billable code. An unclear mark is flagged for review rather than guessed, which protects the lab from submitting an order it did not intend.

03

Checkboxes are read without AI.

A checkbox decision is tied to a region of the page and the exact measurement behind it, so a reviewer or auditor can reproduce the result by hand.

04

Every change is recorded.

Each access to protected health information and each field edit is written with the person, the time, and the before and after value. The audit log is append only and cannot be edited or deleted by the application.

Controls

Each control today, and the stronger option as we grow.

The first line of each item is in the design now. The second line is the path we follow as deployments scale and as customers require it.

Encryption

Protected health information is encrypted in transit with TLS 1.2 or higher and at rest with AES-256 using customer managed keys.

Stronger option: column level encryption on the most sensitive fields with scheduled key rotation.

Access control

Least privilege roles with multi-factor sign in. Reviewers, lead reviewers, administrators, and read only auditors each see only what their job requires.

Stronger option: single sign on with your identity provider and automated user provisioning.

Audit and logging

An append only audit records every access and edit. System logs carry identifiers only and never field values.

Stronger option: forward audit events to your monitoring system for alerting on unusual activity.

Testing and vulnerabilities

Dependencies and secrets are scanned in the build, and the document intake is screened for malicious content before any reading happens.

Stronger option: an independent penetration test and continuous vulnerability scanning on a fixed schedule.

Vendors and subcontractors

A Business Associate Agreement is signed before protected health information flows, and every subcontractor that could touch it is covered by its own agreement.

Stronger option: a documented vendor review and a published list of subprocessors.

Retention and deletion

Each record is kept for the longest period required by CLIA, HIPAA, and state law. Deletion is never automatic, and each deletion is itself a recorded event.

Stronger option: a per customer retention schedule agreed in writing during setup.

Standards

Where we stand on compliance.

We describe our standing accurately. HIPAA has no certificate to display, so we map our controls to the rule. SOC 2 is an independent audit we are working toward rather than one we claim today.

In place now

  • HIPAA Security Rule. Mapped to the technical safeguards in 45 CFR 164.312.
  • CLIA quality evidence. Requisition elements mapped to 42 CFR 493.1241.
  • Encryption. AES-256 at rest and TLS 1.2 or higher in transit.
  • Append-only audit. Every access and edit is recorded.

On the roadmap

  • SOC 2 Type II. Planned alongside the first production deployment.
  • HITRUST mapping. Available for customers who require it.
  • Single sign on. Integration with your identity provider.

The 2025 HIPAA Security Rule update was proposed in January 2025 and has not been finalized. Nexession already aligns with its main proposals, including required encryption, multi-factor sign in, and a yearly compliance review.

CLIA quality evidence

Your transcription evidence is produced as you work.

Entering a requisition into the LIS is regulated transcription. Because Nexession performs that step, it produces the accuracy evidence a surveyor expects, instead of leaving the lab to assemble it later.

  • Required elements are mapped to 42 CFR 493.1241 by citation, including the conditional Pap elements
  • A sampling job compares completed orders against the source image, and includes every field corrected in review
  • A report of sample size, agreement rates, and outcomes can be exported for review

Order to image link

Every delivered message is linked to the source image, and every field records its source. The result is a clear path from the order in the LIS back to the exact part of the scanned form it came from.

The agreement path

No protected health information moves until the paperwork is in place.

1. Non disclosure agreement first

Work begins on synthetic and de-identified material. No protected health information is needed to start.

2. Business Associate Agreement before any data

The agreement is signed during setup, on your paper or ours, before any real data is processed.

3. Full subcontractor chain

The cloud provider, the fax vendor, and any recognition service are each covered by their own agreement before data reaches them.

4. Terms we bring

Breach notification with state additions, no use of protected health information to train shared models, and audit rights for the lab.

Bring your security review.

We would rather answer hard questions early. Start with a non disclosure agreement and synthetic data, with no protected health information required.

Healthcare regulatory counsel signs off before any deployment processes real orders. Accuracy figures referenced across this site come from a synthetic test set and are not pilot or production results.