Our position, stated plainly
JamEMR is designed to support our customers’ HIPAA compliance obligations. When JamEMR handles protected health information on behalf of a covered entity, we act as a business associate and execute a Business Associate Agreement before any PHI is handled.
One thing we will never say: “HIPAA certified.” No such certification exists — no government body certifies HIPAA compliance, and any vendor claiming a HIPAA certification is describing something that does not exist. What responsible vendors can do is implement the required safeguards, document them, and stand behind them contractually. That is our approach.
What is in place today
Mapped loosely to the HIPAA Security Rule’s safeguard categories:
Administrative safeguards
- Designated Privacy Officer and Security Officer roles are assigned and active.
- Privileged operational changes are approval-gated: they require explicit human sign-off.
- Pilot deployments use synthetic (non-real-patient) data until a practice’s compliance prerequisites — including a signed BAA — are complete.
Physical safeguards
- Clinical AI inference runs on dedicated local hardware inside the deployment environment. PHI is not sent to third-party consumer AI clouds for clinical AI processing, which keeps the physical footprint of PHI small and knowable.
Technical safeguards
- Role-based access control with least-privilege roles; front-desk staff cannot access clinical AI functions.
- Application-level audit logging of chart access and changes, including ambient-note drafts, edits, and signatures.
- Registered, revocable API tokens for service-to-service calls.
- TLS encryption in transit on exposed interfaces; disk-level encryption at rest, configured per deployment.
On our roadmap
- A formal HIPAA risk analysis refresh and a documented policy pack are in progress. We treat the risk analysis as a living obligation, not a one-time artifact.
- Third-party penetration testing is planned before general availability.
- A SOC 2 Type II examination is planned but has not started. SOC 2 is not a HIPAA requirement, but its evidence discipline complements HIPAA obligations, and we do not claim it until it is complete.
Shared responsibility
HIPAA compliance is shared: JamEMR provides safeguards and contractual commitments; covered entities remain responsible for their own policies, workforce training, and appropriate use of the system. We are glad to walk your compliance team through the details — contact privacy@jamemr.com.