Skip to content
HCC Buddy home

Security & Data Handling

HCC Buddy does not store, transmit, or log any Protected Health Information (PHI). Zero patient data enters our systems.

Architecture Overview

HCC Buddy uses a three-tier architecture designed to keep sensitive data out of our systems entirely:

Layer 1

Chrome Extension / Website

Your browser

Layer 2

API Server

Fly.io, US East

Layer 3

Database

Supabase PostgreSQL

Your browser sends only ICD-10 codes and search terms to our API — never patient names, member IDs, or clinical notes.

What We Protect

No PHI Storage

No patient names, member IDs, dates of birth, Social Security Numbers, or Medicare Beneficiary Identifiers are ever stored in our database, logs, or backups.

PHI Upload Scanning

Built-in scanner automatically rejects any uploaded PDF containing SSNs, MBIs, patient names, or dates of birth.

Encryption in Transit

All data transmitted over HTTPS/TLS. Our API enforces HSTS (HTTP Strict Transport Security).

Encryption at Rest

Sensitive fields (MFA secrets) encrypted with AES-128-CBC + HMAC-SHA256 (Fernet). Passwords hashed with bcrypt.

Session Security

15-minute access tokens, single-session enforcement, and automatic account lockout after 5 failed login attempts.

Audit Logging

All sensitive actions logged to a HIPAA-conscious audit trail with 6-year retention.

HIPAA Disclaimer

HCC Buddy is not a HIPAA covered entity as defined under the Health Insurance Portability and Accountability Act (HIPAA).

  • No Business Associate Agreement (BAA) is required or offered.
  • “HIPAA-conscious” design means our architecture actively prevents Protected Health Information from entering our systems — not that we are a HIPAA covered entity.
  • Built-in PHI scanning rejects uploads containing patient names, Social Security Numbers, Medicare Beneficiary Identifiers, or dates of birth.
  • Users are solely responsible for ensuring they do not submit PHI through any feature of the Service.

Third-Party Security

Anthropic (Claude API)Chat text only — no personally identifiable information or PHI
StripePayment information only — we never see or store full card numbers
SentryError logs and stack traces — no user content or personal data
Fly.ioApplication hosting — US East region infrastructure
VercelWebsite hosting — frontend static assets and server rendering
SupabaseDatabase hosting — PostgreSQL infrastructure with encryption at rest

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly. We welcome and appreciate responsible disclosure.

Email: privacy@hccbuddy.com