Skip to content
Ivera Systems
How It WorksPricingGuidesSecuritySign InGet a Free Review

Security & Compliance

PHI handled with the rigor your patients and practice deserve.

Ivera processes Protected Health Information on behalf of Texas medical practices as a HIPAA Business Associate. We sign a BAA before any PHI is onboarded, run exclusively on AWS HIPAA-eligible infrastructure, and apply defense-in-depth controls at every layer of the stack.

How we protect your data

Six layers of protection, built in from day one.

Encryption in transit and at rest

All data moves over TLS. PHI at rest is encrypted using FIPS-validated modules with keys managed by AWS KMS. No plaintext PHI ever touches disk.

Role-based access control

Every user session is scoped to a single practice. Practice data is isolated at the database layer by practice_id on every query. Staff never see another tenant's records.

Regular audits and penetration testing

We schedule independent third-party security reviews before each production milestone. Findings are tracked to closure before new PHI is onboarded.

AWS infrastructure with signed BAA

Ivera runs entirely on AWS HIPAA-eligible services (Aurora Postgres, S3, KMS, Fargate, SES, CloudWatch). We execute a signed AWS Business Associate Agreement covering every service that touches PHI.

PHI access logging

Every read and write of protected health information is written to an immutable audit log. Logs are retained for seven years in accordance with HIPAA and Texas Health and Safety Code Chapter 181.

Least-privilege principle

Internal systems and personnel are granted only the minimum permissions required to perform their function. Service accounts carry no more than the scopes their role demands.

Regulatory compliance

HIPAA and Texas HB 300, both.

Federal HIPAA sets the baseline. Texas House Bill 300 goes further: it applies HIPAA-equivalent obligations to any entity that receives PHI from a covered entity, extends training requirements to all personnel who handle PHI, and authorizes state-level enforcement independent of federal action. Ivera complies with both.

We execute a Business Associate Agreement before any PHI is processed, commit to a 72-hour breach-notification window (stricter than the federal 60-day cap), and log every PHI access for the full seven-year retention period required by Texas law.

Compliance statusActive
HIPAA Business Associate AgreementSigned with every customer
Texas HB 300 compliancePersonnel trained
AWS HIPAA BAAExecuted
PHI audit log retention7 years
Breach notification window72 hours
HIPAA Compliant

Get started

Ready to recover denied revenue on a HIPAA-compliant platform?

We sign a BAA before we touch a single claim. Every Texas practice gets the same infrastructure-grade security from day one.

Get a free denial review