Search
K
< Back

Security and Deployment

Health Gorilla enforces strict security and deployment practices to protect patient data, maintain regulatory compliance, and isolate access by organization. Your organization is responsible for configuring environment settings, access controls, and credentials to meet internal security requirements.

OAuth 2.0 and Scopes

All API requests require OAuth 2.0 authentication using a bearer token. You must use the correct scope for each resource or operation. Scopes determine which actions your application is authorized to perform.

  • Use *.read scopes to retrieve data
  • Use *.write scopes to create, update, or delete records

Tokens expire after a limited time and must be refreshed using your client credentials. Credentials and scopes are configured per tenant. Your organization cannot access resources from other tenants unless multi-tenant access has been explicitly enabled.

Tenants

Each organization is assigned to a unique tenant. Your tenant defines which users, locations, and patient data are accessible. If your organization supports multiple facilities, configure location-level attributes such as the National Provider Identifier (NPI) and facility ID under a shared parent tenant.

  • Patient data is not shared across tenants unless specifically enabled through patient sharing, multi-tenant queries, or delegated access
  • Access controls are enforced at both the tenant and OAuth scope level
  • Your environment can support test and production tenants under separate credentials and base URLs

API Traffic and Monitor Activity

All data is encrypted in transit using HTTPS and at rest using industry-standard encryption methods. You must access the APIs over a secure connection. All incoming and outgoing traffic is logged, and every API call includes a unique request ID that you can use for tracing and support.

  • Restrict access by IP address
  • Configure audit reporting for access reviews and incident tracking
  • Review request logs and error events for debugging and compliance

Cloud-Based, Redundant Environment

Health Gorilla’s APIs are hosted in secure, cloud-based environments with geographic redundancy and high availability. Your organization does not need to install or maintain any on-premises software. The platform is designed to support large volumes of concurrent requests, with separate environments for development and production traffic.

  • API endpoints are region-neutral and load balanced
  • Deployments are continuously monitored for uptime and response time
  • Maintenance windows are scheduled and published in advance

You are responsible for configuring your application to handle timeouts, retries, and rate limits appropriately.