How Patient Data is Protected
Every step of the clinical documentation process is designed to minimize PHI exposure and maximize security.
Clinician Records Encounter
Audio is captured on the clinician's device and encrypted using TLS 1.3 before leaving the device.
EncryptedAudio Transcribed
Encrypted audio is sent to OpenAI (under BAA) for transcription. Audio is processed in real-time and immediately discarded. No recordings are ever stored.
Ephemeral ProcessingData Encrypted at Rest
The transcript is encrypted using AWS KMS envelope encryption with AES-256-GCM. Each record receives a unique data key, ensuring complete data isolation. All patient information is protected at rest and in transit.
EncryptedClinical Note Generated
The encrypted transcript is used by AI to generate a structured clinical note formatted for the clinician's specialty and role. OpenAI operates under a signed BAA and does not retain data. The note is encrypted before storage.
Encrypted at RestClinician Reviews and Exports
The clinician reviews the generated note, makes any edits, and copies it to their EHR. All access and export actions are recorded in the tamper-evident audit log.
Audit LoggedEnterprise-Grade Security
Shepard implements the full spectrum of HIPAA technical safeguards to protect electronic Protected Health Information (ePHI).
AWS KMS Envelope Encryption
All ePHI is protected using AWS KMS envelope encryption with AES-256-GCM. Each record receives a unique data key generated by AWS Key Management Service. PHI is encrypted locally on-server and never sent to AWS, while master key management is handled by FIPS 140-2 validated hardware.
TLS 1.3 Transport Security
All data in transit is encrypted using TLS 1.2 or higher, with TLS 1.3 used for audio transmission. No unencrypted data ever leaves the device.
Role-Based Access Control
Granular access hierarchy from patient to superadmin with minimum necessary enforcement. Each role sees only the data required for their function.
Tamper-Evident Audit Logs
Every PHI access event is recorded in a SHA-256 hash-chain audit log. Each entry is cryptographically linked to the previous entry, making tampering detectable.
Automatic Session Management
Access tokens expire after 15 minutes. Refresh tokens rotate on every use with family-based reuse detection to prevent session hijacking.
PHI Protection & Access Control
Role-based access controls and audit logging ensure only authorized users access patient data. All data is encrypted at rest using AWS KMS envelope encryption with per-record key isolation.
SOC 2 Type II Infrastructure
Shepard is hosted on SOC 2 Type II certified infrastructure, independently audited for security, availability, and confidentiality controls. Database storage and application hosting meet enterprise compliance standards.
Policies and Procedures
Comprehensive written policies govern how ePHI is handled, who can access it, and what happens when something goes wrong.
-
Security Management Policy
Comprehensive security framework with designated Security Officer, annual risk assessments, and documented safeguards across technical, administrative, and physical domains.
-
Risk Assessment
Formal risk assessment identifying threats, vulnerabilities, likelihood, impact, existing safeguards, and residual risk for all systems handling ePHI. Conducted annually and after significant changes.
-
Incident Response Plan
Documented 5-phase response procedure covering detection, containment, eradication, recovery, and post-incident review. Severity classification system with defined response times.
-
Breach Notification Procedure
Complete breach notification workflow compliant with the HIPAA Breach Notification Rule. Includes individual notification, HHS reporting, media notification thresholds, and breach log maintenance.
-
Workforce Training Program
HIPAA training required upon hire and annually for all workforce members. Role-specific modules cover encryption standards, audit procedures, and breach response for technical staff.
-
Disaster Recovery Plan
Contingency plan with 4-hour Recovery Time Objective (RTO) and 24-hour Recovery Point Objective (RPO). Covers application failures, database recovery, security breaches, and third-party outages.
-
Sanctions Policy
Documented sanctions for HIPAA policy violations with four severity levels, investigation procedures, appeal process, and non-retaliation protections.
Business Associate Agreements
All third-party services that handle ePHI are covered by Business Associate Agreements and undergo regular security review.
OpenAI - AI Processing Partner
Shepard maintains a signed Business Associate Agreement (BAA) with OpenAI. Under this agreement:
- Audio is processed ephemerally and never stored by OpenAI
- Your data is never used for model training
- OpenAI maintains SOC 2 Type II certification
- All data is encrypted with TLS 1.3 during transmission
Business Associate Management
Shepard maintains a formal Business Associate Management Policy that governs:
- Due diligence before engaging any new service provider
- BAA execution before any PHI is shared
- Annual review of all Business Associate relationships
- Subcontractor compliance requirements
- Documented return or destruction of PHI at termination
Mobile Application Security
The Shepard mobile app includes built-in security measures that protect clinical data on the device.
Jailbreak Detection
Clinical features are restricted on compromised devices to prevent data extraction.
Screenshot Protection
Clinical content is automatically hidden when the app is backgrounded to prevent screen capture of PHI.
Biometric Authentication
Face ID, Touch ID, and fingerprint authentication provide an additional layer of access control.
Secure Credential Storage
Authentication tokens are stored in the iOS Keychain and Android Keystore, protected by hardware-level encryption.
HIPAA Compliance Summary
| HIPAA Requirement | Regulation | Status |
|---|---|---|
| Encryption at Rest | §164.312(a)(2)(iv) | Implemented |
| Encryption in Transit | §164.312(e)(2)(ii) | Implemented |
| Access Controls | §164.312(a)(1) | Implemented |
| Audit Controls | §164.312(b) | Implemented |
| Authentication | §164.312(d) | Implemented |
| Integrity Controls | §164.312(c)(1) | Implemented |
| Risk Assessment | §164.308(a)(1)(ii)(A) | Documented |
| Security Management | §164.308(a)(1) | Documented |
| Workforce Training | §164.308(a)(5) | Documented |
| Incident Response | §164.308(a)(6) | Documented |
| Contingency Plan | §164.308(a)(7) | Documented |
| Business Associate Agreements | §164.308(b) | Signed |
| Breach Notification | §164.400-414 | Documented |
| Workstation Security | §164.310(b) | Documented |
| Sanctions Policy | §164.308(a)(1)(ii)(C) | Documented |