Search
K
< Back

Security

Health Gorilla maintains a comprehensive security and compliance program to safeguard patient data, meet regulatory obligations, and preserve trust in nationwide interoperability. The program encompasses technical controls, organizational practices, and third-party certifications that verify compliance with federal and industry standards.

Core Security Practices

Health Gorilla applies strict safeguards to protect all clinical data managed on its platform, including:

  • Encryption in transit and at rest: All traffic is secured using TLS 1.2 or later, and all data is encrypted at rest using AES-256 or stronger.
  • Tenant isolation: Each organization operates within a dedicated tenant boundary. Data is logically separated and cannot be accessed by other clients.
  • Role-based access control: Access follows least-privilege principles. Permissions are defined by role, enforced by OAuth scopes, and regularly audited.
  • Audit logging: Every API call and system event is logged with unique request identifiers, timestamps, and user context to support traceability, compliance reviews, and incident investigations.

Certifications and Frameworks

Health Gorilla holds multiple certifications and independent audit reports that validate its security posture and compliance with federal and industry standards. The program is reviewed regularly by third-party assessors to ensure controls remain effective and current.

  • HIPAA: All systems and processes comply with the Health Insurance Portability and Accountability Act.
  • TEFCA (QHIN): Health Gorilla is designated as a Qualified Health Information Network under the Trusted Exchange Framework and Common Agreement.
  • HITRUST: Active HITRUST CSF certification demonstrates enterprise-level security and risk management.
  • SOC 2 Type 2: Independent audits validate the security, availability, and confidentiality of Health Gorilla services.
  • NIST Cybersecurity Framework (CSF): Security controls are mapped and aligned with NIST CSF functions to enhance resilience and risk management.

Program Oversight

Security is continuously monitored and enforced across people, processes, and technology. Independent third-party audits are conducted annually to verify compliance. Controls are updated to align with evolving regulations and best practices. Incident response and business continuity plans are maintained and tested regularly. Policies apply uniformly across all products and services, ensuring consistent protection regardless of integration method.