Security & Compliance

Built for the most regulated healthcare data.

Behavioral health data is the most sensitive category in healthcare. Navix is engineered for HIPAA, 42 CFR Part 2, SOC 2, ONC Health IT (Drummond), and TCPA from the foundation up — not retrofitted.

HIPAA Compliant

Full HIPAA Privacy + Security Rule compliance. BAA included with every paid plan.

SOC 2 Certified

Type II audited. Security, availability, confidentiality, processing integrity controls.

Drummond Certified

ONC Health IT certified through Drummond Group, an ONC-Authorized Certification Body (ONC-ACB). Validates interoperability, security, and clinical-functionality standards.

42 CFR Part 2 Ready

Substance use disorder records protected with the heightened consent + re-disclosure controls Part 2 requires.

TCPA Compliant SMS

Full opt-in flow with mobile verification. STOP/HELP keyword support. No PHI over SMS.

Security controls

Eight layers of defense.

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Keys managed via AWS KMS with regular rotation.

Access controls

Role-based access controls. SSO via SAML 2.0 / OIDC for enterprise. Mandatory two-factor authentication. Session timeouts and IP allowlisting available.

Audit logging

Append-only logs of every PHI access — who viewed which record, when, from what IP, and what actions they took. Retained per HIPAA Security Rule requirements.

Infrastructure

Hosted on AWS in HIPAA-eligible regions. VPC isolation, private subnets, security groups, and least-privilege IAM. Continuous vulnerability scanning.

Incident response

Documented incident response plan. 24/7 monitoring with PagerDuty escalation. Breach notification procedures align with HIPAA's 60-day rule.

Business continuity

Daily encrypted backups with point-in-time recovery. Multi-AZ failover. Tested disaster recovery plan with documented RPO/RTO.

Workforce

Mandatory HIPAA and security training for all employees. Background checks. Confidentiality agreements. Least-privilege access for engineering.

Vendor management

Subcontractor BAAs in place with all PHI-handling third parties. Annual vendor reviews. Vendor risk register maintained.

AI/ML safeguards

AI in healthcare, done right.

AI in healthcare requires a higher bar than AI in consumer software. Here's how Navix handles training data, customer isolation, and model governance.

✓

All AI/ML training data is de-identified per HIPAA Safe Harbor (45 CFR 164.514(b)(2)) — 18 identifier categories removed before any data enters a training pipeline.

✓

Identifiable PHI is never shared across customer accounts. Within a single account, AI features use that account's data only, under the BAA terms.

✓

AI/ML models output predictions and suggestions; they're designed not to reproduce training data verbatim.

✓

Regular audits of AI/ML systems for accuracy, bias, and privacy compliance.

✓

Facilities retain control over which AI features are enabled in their accounts.

✓

We don't sell PHI or de-identified data. Use is for product improvement only, not external monetization.

42 CFR Part 2

Substance use disorder records get extra protection.

42 CFR Part 2 places stricter controls than HIPAA on disclosure of substance use disorder records. Written patient consent is generally required for any disclosure; recipients are prohibited from re-disclosure. The penalties for violation are severe.

Navix is engineered around these requirements. Part 2 records carry an enhanced consent flag throughout the system. Every disclosure is logged. Re-disclosure warnings are surfaced where they matter. Our de-identification methods meet the Part 2 standard.

Need our security documentation?

We provide our SOC 2 Type II report, BAA, security questionnaire responses, and penetration test summaries to qualified prospects under NDA.

Request Security Docs Read Privacy Policy

Loading…

Substance use disorder records get extra protection.