Resources

Security and compliance

Approva is built to handle protected health information on behalf of ambulatory surgery centers as a business associate. Before any customer engagement, Approva signs a BAA and applies the controls described below to how PHI is accessed, stored, and transmitted.

HIPAA

Approva operates as a business associate under HIPAA. We handle PHI in accordance with the HIPAA Privacy Rule and Security Rule — covering administrative, physical, and technical safeguards. All staff with PHI access complete HIPAA training at onboarding and on an annual cadence.

Business Associate Agreement

We sign a BAA before handling any PHI. Our standard agreement covers Approva's obligations as a business associate and outlines breach notification procedures. Review BAA terms →

SOC 2

Approva is working toward a SOC 2 Type I report, with Type II to follow once controls have an operating history. Our controls cover the Security Trust Services Criterion, along with availability, confidentiality, and processing integrity. SOC 2 status →

Data security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to PHI is role-based and requires multi-factor authentication. Every access event is audit-logged and retained for a minimum of six years per HIPAA requirements.

Risk analysis

Approva conducts a HIPAA Security Rule risk analysis under 45 CFR 164.308(a)(1), covering administrative, physical, and technical safeguards across every system that creates, receives, maintains, or transmits PHI. The analysis is reviewed on a defined cadence — at minimum annually and on material change.

Minimum necessary

Access to PHI is limited to the minimum necessary for each role's function. Reviewers see only the case content they're assigned, and engineers do not access PHI in production except under audited, time-bounded break-glass procedures.

Breach notification

Approva notifies the covered entity of a discovered breach without unreasonable delay, and in no case later than the timeline specified in the BAA. The regulatory ceiling under HITECH is 60 days from discovery; the specific contractual window is set in each BAA.

Subcontractor BAA flow-down

Any subcontractor that creates, receives, maintains, or transmits PHI on Approva's behalf signs a BAA with terms no less stringent than the upstream BAA, as required under the 2013 HIPAA Omnibus Rule.

Penetration testing and vulnerability management

Approva is built to run annual third-party penetration testing alongside continuous vulnerability scanning, with remediation SLAs by severity. The cadence is forward-looking until the first test is complete.

Incident response

Approva maintains an incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is tested on a defined cadence.