Compliance, modeled in the schema.

Most EHRs treat compliance as a wrapper bolted onto a generic application. Cadence Health treats it as a data-model decision. Audit logs, 42 CFR Part 2 consents, soft-delete on PHI, hierarchical role-based access — all first-class from migration #1, not retrofitted.

What we do

HIPAA-eligible hosting + signed BAA

All PHI-touching infrastructure runs on hosting providers we have a signed Business Associate Agreement with. We maintain a vendor BAA registry of every third-party that processes PHI — never put PHI in a service we don't have a BAA with.

Encryption at rest + in transit

AES-256 at rest on managed Postgres. TLS 1.2+ everywhere, including service-to-service. No PHI in URLs (logged by every proxy on the path), no PHI in error tracking breadcrumbs, no PHI in payment processor metadata.

Unique user IDs + MFA

No shared logins. TOTP MFA enforced for clinical and admin roles. Automatic session timeout. Workstation requirements for the people with PHI access.

Audit log on every PHI access

Every read and write of PHI gets a row. Who, what, when, action, resource, IP, user agent. Immutable. Retained per policy. Practice owners get direct access, not just our support team.

42 CFR Part 2 native (not bolted on)

SUD records require per-recipient, per-purpose redisclosure consent — much stricter than HIPAA. Our Consent model has PART2_REDISCLOSURE as a first-class type with recipient, purpose, scope, expiration. Every disclosure check happens against real consent data.

Role-based access enforced in middleware

Org → Clinic → role hierarchy. Region → clinic-admin → supervisor → clinician → biller → front desk. RBAC isn't a UI gate; it's enforced at the data-access layer so even an internal bug can't leak PHI across clinics.

Soft-delete on PHI

No hard deletes of patient data. Deletion is a state, not a row removal. Restoration is possible during retention windows. Required for HIPAA, easier on you when a chart is needed years later.

Built-in disaster recovery

Encrypted automated backups, tested restoration. Point-in-time recovery on the database. Documented incident response plan with clear ownership.

What we won't do

✗QuickBooks direct sync. QuickBooks Online is not HIPAA-compliant. Every reputable EHR avoids it. Use a BAA-covered middleware or a journal-entry export instead.
✗PHI in payment processor metadata. Stripe and similar do not sign BAAs. We never put patient names, diagnoses, or session details into payment provider fields.
✗PHI in error tracker breadcrumbs. Configured to scrub. Sentry, PostHog, Vercel Analytics — all PHI-blind by default in our wrapper layer.
✗Generic auth providers without enterprise BAA tier. Identity is the most coupled layer. We use providers that BAA at the SKU we run.

Roadmap

SOC 2 Type II in progress.
Self-serve BAA at signup, no sales gate.
Published vendor BAA registry, updated quarterly.
Annual third-party penetration test, summary public.