Compliance & Security

HIPAA Compliant

Ultradoc is fully compliant with the U.S. Health Insurance Portability and Accountability Act of 1996 and the HITECH Act. This attestation describes our administrative, physical, and technical safeguards.

Effective April 24, 2026
Document UD-COMPL-01
HIPAA

In Re. · Compliance with the HIPAA Rules

Statement of
HIPAA Compliance

Ultradoc Technologies LLC ("Ultradoc," "we," "us," or "our") attests that its clinical workflow platform is designed, operated, and maintained in compliance with the applicable provisions of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and the implementing regulations at 45 CFR Parts 160, 162, and 164 (collectively, the "HIPAA Rules").

Ultradoc acts as a Business Associate (as defined at 45 CFR § 160.103) to its covered-entity customers. Ultradoc enters into a written Business Associate Agreement with every covered entity whose use of the platform requires one, and with every subcontractor that creates, receives, maintains, or transmits PHI on Ultradoc's behalf.

This instrument describes the administrative, physical, and technical safeguards implemented by Ultradoc to protect the confidentiality, integrity, and availability of Protected Health Information.

Article I

Scope

This attestation applies to the Ultradoc platform, including all web, mobile, and API interfaces operated under the ultradoc.net domain, together with the underlying services, databases, and supporting infrastructure that store or process Protected Health Information on behalf of Ultradoc's customers.

The controls described herein apply to all workforce members of Ultradoc and to all subcontractors engaged by Ultradoc that create, receive, maintain, or transmit PHI on Ultradoc's behalf.

Article II

Definitions

45 CFR § 160.103 · § 164.304

All defined terms used in this instrument have the meanings ascribed to them in the HIPAA Rules. Selected terms are summarized below for the convenience of the reader.

a.

Covered Entity.

A health plan, health care clearinghouse, or health care provider who transmits health information in electronic form in connection with a covered transaction, as defined at 45 CFR § 160.103.

b.

Business Associate.

A person or entity that performs functions or activities involving the use or disclosure of Protected Health Information on behalf of, or provides services to, a Covered Entity. Ultradoc is a Business Associate to its customers.

c.

Protected Health Information (PHI).

Individually identifiable health information transmitted or maintained in any form or medium, as defined at 45 CFR § 160.103. References herein to PHI include electronic PHI (ePHI).

d.

Subcontractor / Subprocessor.

A person or entity to whom a Business Associate delegates a function, activity, or service, and who creates, receives, maintains, or transmits PHI on behalf of the Business Associate.

e.

Workforce.

Employees, contractors, and other persons whose conduct, in the performance of work for Ultradoc, is under the direct control of Ultradoc, whether or not they are paid by Ultradoc.

f.

Security Incident.

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system, as defined at 45 CFR § 164.304.

Article III

Administrative Safeguards

45 CFR § 164.308

§ 3.01

Designated Security & Privacy Officer.

Ultradoc designates a named Security Officer and Privacy Officer responsible for the development, implementation, and ongoing maintenance of policies and procedures required by the HIPAA Security and Privacy Rules.

§ 3.02

Workforce training & awareness.

All workforce members with access to PHI complete HIPAA training at onboarding and on a recurring annual basis. Training covers the Security Rule, the Privacy Rule, breach notification, sanctions, password management, and incident reporting. Training records are retained for a minimum of six (6) years.

§ 3.03

Workforce clearance & termination.

Access to systems containing PHI is provisioned only after a documented clearance procedure. Upon separation, role change, or loss of authorization, all access is revoked without delay in accordance with a documented termination procedure.

§ 3.04

Risk analysis & risk management.

Ultradoc conducts formal, documented risk analyses of the confidentiality, integrity, and availability of ePHI in accordance with 45 CFR § 164.308(a)(1)(ii)(A). Identified risks are tracked in a risk register and remediated pursuant to a documented risk-management program under § 164.308(a)(1)(ii)(B).

§ 3.05

Information system activity review.

Ultradoc implements procedures to regularly review records of information system activity, including audit logs, access reports, and security-incident tracking reports, as required by 45 CFR § 164.308(a)(1)(ii)(D).

§ 3.06

Sanction policy.

Ultradoc maintains and enforces a formal sanction policy against workforce members who fail to comply with its security policies and procedures, pursuant to 45 CFR § 164.308(a)(1)(ii)(C).

§ 3.07

Contingency planning.

Data backup, disaster recovery, and emergency-mode operation plans are documented, maintained, and tested periodically to ensure continued availability of PHI during adverse events, in accordance with 45 CFR § 164.308(a)(7).

§ 3.08

Evaluation.

Ultradoc performs periodic technical and nontechnical evaluations of its security controls, in response to environmental or operational changes affecting the security of ePHI, as required by 45 CFR § 164.308(a)(8).

Article IV

Physical Safeguards

45 CFR § 164.310

§ 4.01

Cloud-hosted infrastructure.

Ultradoc operates no on-premise data centers. All production systems run on SOC 2 Type II audited cloud infrastructure operated by HIPAA-eligible providers, governed by executed Business Associate Agreements.

§ 4.02

Facility access controls.

Physical access to the facilities housing production infrastructure is controlled, monitored, and logged by the underlying cloud providers in accordance with their published compliance programs (SOC 2 Type II, ISO 27001, FedRAMP).

§ 4.03

Workstation security.

Workforce devices authorized to access PHI are subject to full-disk encryption and automatic screen-lock. A managed device baseline (centralized patch management, endpoint detection and response, and mobile device management with remote-wipe capability) activates upon workforce expansion.

§ 4.04

Device & media controls.

Removable media are prohibited for storage of PHI. All media potentially containing ePHI are sanitized or destroyed in accordance with NIST SP 800-88 Rev. 1 guidelines prior to reuse or disposal.

Article V

Technical Safeguards

45 CFR § 164.312

§ 5.01

Unique user identification.

Every workforce member and end user is assigned a unique account. Shared or group credentials are prohibited for access to PHI.

§ 5.02

Person & entity authentication.

Authentication is enforced at every entry point to systems containing PHI. Multi-factor authentication is available to end users and may be required by tenant administrators as part of their organization's access-control policy.

§ 5.03

Automatic logoff.

Idle sessions are terminated after a defined period of inactivity. Re-authentication is required to resume access.

§ 5.04

Integrity controls.

Mechanisms are in place to ensure PHI is not improperly altered or destroyed. Integrity is validated through cryptographic checksums, versioning, and referential database constraints.

§ 5.05

Transmission security.

All network traffic carrying PHI is protected in transit as described in Article VI (Encryption). Mutual authentication is enforced for inter-service communication within the Ultradoc platform.

§ 5.06

Malicious software protection.

Workstations run host-based protection appropriate to current workforce size. Centralized endpoint protection with managed reporting activates upon workforce expansion.

Article VI

Encryption

45 CFR § 164.312(a)(2)(iv) · § 164.312(e)(2)(ii) · HHS Guidance specifying encryption technologies, referenced at § 164.402

6.01In transit.

All communication between end-user clients and the Ultradoc platform, and all inter-service communication within the platform, is encrypted in transit. No Protected Health Information ever traverses an unencrypted channel.

  1. (i) TLS 1.2 or higher with modern cipher suites on all public-facing endpoints; legacy protocols (SSL 3.0, TLS 1.0, TLS 1.1) are disabled.
  2. (ii) HTTP Strict Transport Security (HSTS) enforced with a minimum max-age of one (1) year and subdomain inclusion.
  3. (iii) Certificates issued by publicly-trusted certificate authorities and managed via automated renewal.
  4. (iv) Mutually authenticated TLS for service-to-service traffic within the platform.
  5. (v) No plaintext PHI ever traverses the public internet.

6.02At rest.

All Protected Health Information persisted by Ultradoc is stored exclusively on infrastructure operated by HIPAA-compliant subprocessors under executed Business Associate Agreements. PHI is encrypted at rest using 256-bit Advanced Encryption Standard (AES-256), consistent with NIST-approved methods referenced in the HHS guidance under 45 CFR § 164.402.

Article VII

Business Associate Agreements

45 CFR § 164.308(b) · § 164.314(a) · § 164.504(e)

Ultradoc executes a Business Associate Agreement with every covered entity that uses the platform to create, receive, maintain, or transmit Protected Health Information. Ultradoc's standard BAA obligates Ultradoc to use and disclose PHI only as permitted by the Agreement and the HIPAA Rules, to implement the safeguards required by the Security Rule, and to report impermissible uses, disclosures, and security incidents promptly.

Ultradoc further maintains a Business Associate Agreement with every subcontractor that creates, receives, maintains, or transmits PHI on Ultradoc's behalf. No subcontractor is granted access to PHI without a fully executed BAA on file. Each subcontractor BAA flows down the material obligations of the HIPAA Rules, including encryption, access-control, audit, breach-notification, and return-or-destruction obligations.

A current list of Ultradoc subprocessors that process Protected Health Information is available to covered-entity customers upon request, subject to a mutual confidentiality agreement. Requests may be directed to compliance@ultradoc.net.

Article VIII

Access Control & Role-Based Access

45 CFR § 164.308(a)(4)(ii)(B) · § 164.308(a)(4) · § 164.312(a) · § 164.502(b)

Access to Protected Health Information is governed by a formal role-based access control (RBAC) model. Authorization is evaluated at the application layer on every request, and no user or service is granted access to PHI outside the bounds of an assigned role.

§ 8.01

Role-based authorization.

Every workforce member and end user is assigned one or more roles that define the scope of data they may access and the actions they may perform. Authorization decisions are enforced at the application layer on every request.

§ 8.02

Least-privilege principle.

The Ultradoc platform supports enforcement of the least-privilege principle by permitting tenant administrators to scope role assignments to the minimum access necessary to perform assigned job functions, consistent with the Minimum Necessary Standard at 45 CFR § 164.502(b).

§ 8.03

Separation of duties.

Administrative and production-data access are held by distinct roles. No single role combines authority to modify access-control configuration and authority to access PHI at scale.

§ 8.04

Periodic access review.

Role assignments and privileged-access grants are reviewed on a recurring basis. Stale, unused, or inappropriate access is revoked as part of each review cycle.

§ 8.05

Privileged access management.

Administrative access to production systems requires multi-factor authentication, is time-scoped where feasible, and is subject to enhanced audit logging and monitoring.

Article IX

Audit Controls & Monitoring

45 CFR § 164.308(a)(1)(ii)(D) · § 164.312(b) · § 164.316(b)

Ultradoc records and retains a tamper-resistant, append-only audit trail of activity on systems that contain Protected Health Information. Audit records are designed to support incident investigation, regulatory inquiry, and ongoing security operations.

  1. (a) Every create, read, update, and delete operation involving PHI is recorded to a tamper-resistant, append-only audit log.
  2. (b) Every authentication event, session-start, session-termination, and access-control change is recorded.
  3. (c) Audit records include the actor, the action, the affected resource, the timestamp, and the source context.
  4. (d) Audit logs are retained for a minimum of six (6) years in accordance with 45 CFR § 164.316(b).
  5. (e) No workforce-facing interface to modify or delete audit log entries is exposed. Repeated identical events within a short window are coalesced to mitigate log-flooding.
  6. (f) Logs are reviewed on a recurring basis by the Security Officer or designee.

Audit records pertaining to a covered entity's use of the Ultradoc platform are preserved for the full six (6) year retention period, including following the termination of the business relationship between Ultradoc and the covered entity. Former customers may, at any time during the retention period, contact compliance@ultradoc.net to request audit information or supporting documentation relating to their prior use of the platform.

Article X

Break-Glass & Emergency Access

45 CFR § 164.312(a)(2)(ii)

Ultradoc maintains documented emergency-access procedures for the continuity of clinical operations during periods in which the Ultradoc platform is unavailable or emergency conditions require immediate access to Protected Health Information. Because Ultradoc operates as a workflow overlay on the covered entity's EHR, the covered entity's EHR remains the operative channel for emergency clinical access.

§ 10.01

Primacy of the EHR of record.

Ultradoc operates as a workflow overlay on the covered entity's EHR. The EHR of record remains the authoritative source for Protected Health Information and governs emergency access to patient data under its own emergency-access procedures.

§ 10.02

Fallback in the event of unavailability.

In the event the Ultradoc platform is unavailable, clinical workforce members are directed to continue operations through the covered entity's EHR pursuant to the covered entity's own emergency-access policies. No PHI is required to be retrieved from Ultradoc in order to deliver care.

§ 10.03

Post-event review by Ultradoc.

If unavailability of the Ultradoc platform materially contributes to an emergency condition affecting a covered entity, Ultradoc conducts an internal root-cause review and reports findings to the affected covered entity.

Article XI

Security Incident Response

45 CFR § 164.308(a)(6)

Ultradoc maintains a documented Security Incident Response program that defines responsibilities, escalation paths, and the steps by which suspected and confirmed security incidents are addressed. The program is aligned with the phases outlined in NIST SP 800-61 Rev. 2 and the incident-response requirements of 45 CFR § 164.308(a)(6).

  1. 01

    Detection.

    Continuous monitoring and workforce reporting channels are used to identify potential security incidents.

  2. 02

    Triage.

    The Security Officer or designee classifies each reported event by severity and scope, and determines whether it constitutes a Security Incident or a potential Breach of Unsecured PHI.

  3. 03

    Containment.

    Immediate steps are taken to isolate affected systems, revoke compromised credentials, and prevent further unauthorized access.

  4. 04

    Eradication.

    The root cause is identified and remediated; affected systems are restored from known-good state.

  5. 05

    Recovery.

    Normal operations are resumed under heightened monitoring until stability is confirmed.

  6. 06

    Post-incident review.

    A documented after-action review captures findings, identifies systemic improvements, and updates policies, controls, or training as warranted.

Article XII

Breach Notification

45 CFR §§ 164.400–414

In the event Ultradoc discovers a breach of unsecured Protected Health Information, Ultradoc will notify the affected covered entity without unreasonable delay and in no case later than sixty (60) calendar days following discovery, in accordance with 45 CFR § 164.410.

The notification will include, to the extent known at the time of notification and supplemented thereafter as additional information becomes available: the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; a description of the nature of the breach; the types of PHI involved; and the steps Ultradoc has taken and is taking to mitigate, investigate, and prevent recurrence.

Workforce members are trained to recognize suspected breaches and to report them immediately to the Security Officer. The Security Officer is responsible for coordinating Ultradoc's response, including forensic investigation, risk assessment under § 164.402, and any required notifications.

Article XIII

Individual Rights

45 CFR §§ 164.520–528 · § 164.530(g)

As a Business Associate, Ultradoc supports its covered-entity customers in honoring the rights granted to individuals under the Privacy Rule. Upon a covered entity's request, Ultradoc will provide, amend, restrict, or account for an individual's PHI as necessary to permit the covered entity to fulfill its obligations, including:

  1. (i) Right of access to and a copy of PHI maintained in a designated record set. § 164.524
  2. (ii) Right to request amendment of inaccurate or incomplete PHI. § 164.526
  3. (iii) Right to an accounting of disclosures of PHI. § 164.528
  4. (iv) Right to request restrictions on certain uses and disclosures. § 164.522
  5. (v) Right to request confidential communications by alternative means or at alternative locations. § 164.522
  6. (vi) Right to receive notice of a breach of unsecured PHI. § 164.404
  7. (vii) Right to file a complaint without retaliation. § 164.530(g)

Article XIV

Data Retention & Destruction

45 CFR § 164.316(b) · § 164.504(e)(2)(ii)(J)

§ 14.01

Retention of PHI.

PHI is retained by Ultradoc only for so long as required to deliver the service, to comply with the governing Business Associate Agreement, or as otherwise required by applicable law.

§ 14.02

Return or destruction upon termination.

Upon termination of a Business Associate Agreement, Ultradoc will, as directed by the Covered Entity, return or destroy all PHI received from, or created or received on behalf of, the Covered Entity, in accordance with 45 CFR § 164.504(e)(2)(ii)(J).

§ 14.03

Retention of compliance documentation.

Policies, procedures, audit logs, training records, risk analyses, and other HIPAA-related documentation are retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, pursuant to 45 CFR § 164.316(b)(2)(i).

§ 14.04

Secure destruction.

Destruction of PHI, whether in electronic or physical form, is performed in accordance with NIST SP 800-88 Rev. 1 such that the information is rendered unreadable, indecipherable, and otherwise cannot be reconstructed.

Article XV

Ongoing Compliance

Ultradoc treats HIPAA compliance as a continuous program rather than a one-time exercise. Policies and procedures are reviewed at minimum annually, and whenever a material change in operations, technology, or applicable law warrants an earlier review.

Ultradoc's security program is designed to align with recognized industry frameworks, including NIST SP 800-66 Rev. 2 (HIPAA Security Rule Implementation Guide), NIST SP 800-53 Rev. 5, the HHS Office for Civil Rights guidance on HIPAA Security, and applicable provisions of SOC 2. Internal reviews and, where appropriate, independent external assessments of the control environment are conducted on a periodic basis.

Article XVI

Notices & Contact

Questions, complaints, or requests related to this attestation, Ultradoc's privacy practices, or the handling of Protected Health Information may be directed to the addresses of record set forth below.

HIPAA Privacy & Security Officer

Office of Compliance

compliance@ultradoc.net

BAA & Security Review Requests

Office of Security

security@ultradoc.net

Individuals retain the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, if they believe their rights under the HIPAA Privacy Rule have been violated. Filing instructions are available at hhs.gov/ocr/complaints.

Article XVII

Vulnerability Disclosure Policy

Ultradoc welcomes reports of security vulnerabilities from researchers, customers, and members of the public. If you believe you have discovered a vulnerability affecting the Ultradoc platform, please report it to the Office of Security and Ultradoc will engage with you in good faith toward resolution.

Ultradoc asks that reporters allow a reasonable period to investigate and remediate before any public disclosure, and that reporters make every reasonable effort to avoid privacy violations, service degradation, and any interaction with Protected Health Information.

Report to

security@ultradoc.net

Acknowledgment within one (1) business day.

Researchers shall

  1. (i) Provide a clear description of the vulnerability, including steps to reproduce.
  2. (ii) Allow a reasonable period for investigation and remediation before any public disclosure.
  3. (iii) Test only against accounts you own or have explicit written authorization to test against.
  4. (iv) Refrain from denial-of-service testing, brute-force attacks, and automated scanning of production infrastructure.
  5. (v) Do not access, modify, or exfiltrate Protected Health Information or data belonging to any other customer.

Ultradoc shall

  1. (i) Acknowledge receipt of your report within one (1) business day.
  2. (ii) Keep you informed of our investigation and remediation progress.
  3. (iii) Not pursue legal action against researchers acting in good faith within the bounds of this policy.
  4. (iv) Credit you in our acknowledgments upon your request.
  5. (v) Coordinate with you on responsible public disclosure once a fix has been deployed.

Researchers who comply with this policy will not be subject to civil or criminal action by Ultradoc for their research activities. This policy does not authorize action that is inconsistent with applicable law, and nothing in this policy should be read to authorize any violation of the Computer Fraud and Abuse Act, state computer-crime statutes, or any law of a foreign jurisdiction.

Signed, attested, and entered into the records of

Ultradoc Technologies LLC

By Office of the Security & Privacy Officer
On April 24, 2026
Document UD-COMPL-01
Last reviewed April 24, 2026

—  End of Document · UD-COMPL-01  —

This instrument is provided for informational purposes and does not itself constitute a Business Associate Agreement, the provision of legal advice, or a legal representation. A signed Business Associate Agreement governs the actual contractual relationship between Ultradoc and each covered entity.

Ready to modernize
your clinical workflow?

Join practices already using Ultradoc to streamline rounding, automate billing, and so much more — all from a single platform.

Join Waitlist Open Dashboard