Security & Compliance Overview

A summary of the technical and organizational safeguards Triage Central employs to protect sensitive patient and institutional data processed by Nurse Sam. Last Updated: October 2025

1. HIPAA Compliance & Data Segregation

Nurse Sam is designed to operate as a technology service for Covered Entities and Business Associates. Triage Central offers a **Business Associate Agreement (BAA)** for all enterprise deployments, defining our commitment to safeguarding Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

• Limited Data Sets: Sam’s core AI models are trained on general, anonymized medical knowledge. Patient-specific data (PHI) collected during triage calls is segregated and is only processed to provide real-time service and generate the call summary for the clinician.
• No Diagnosis: Nurse Sam acts as a clinical decision-support tool, not a diagnosing provider. All clinical decisions remain under the authority of the client's medical staff.

2. Technical Safeguards (Infrastructure & Encryption)

Our infrastructure is built on cloud platforms that adhere to industry-leading security standards.

Data Encryption

• Encryption in Transit: All data exchanged between the patient’s phone, Nurse Sam's servers, and the client's reporting interface is secured using TLS 1.2+ protocols with strong ciphers.
• Encryption at Rest: All recorded audio, transcripts, and generated summaries are stored in encrypted databases using AES-256 or better encryption standards.

Access Control

Access to the environment containing PHI is strictly managed on a need-to-know basis and requires multi-factor authentication (MFA). Client user access is managed through secure APIs and granular role-based access controls (RBAC).

3. Organizational Policies & Audit

Audit Trails and Logging

Every interaction (call initiation, data collection, escalation trigger, and final summary) generates a comprehensive, immutable audit log. These logs are stored securely and are accessible to client administrators for review and quality assurance (QA).

Vendor Management

Triage Central performs due diligence on all third-party sub-processors to ensure they meet the security and compliance requirements necessary for handling PHI. Any sub-processor handling PHI is covered under an appropriate BAA.

4. Patient Data Handling (CCPA/CPRA Alignment)

While our primary focus is HIPAA for PHI, we recognize modern privacy laws. Patients interacting with Nurse Sam are protected by the client's HIPAA-mandated privacy practices. For general consumer data (e.g., website visitors on our landing page), Triage Central adheres to data minimization principles and respects privacy rights under laws like the CCPA/CPRA, including the right to know, delete, and opt-out of the sale of personal information.