We handle some of the most sensitive medical information in existence. Our security infrastructure reflects that responsibility — from upload to analysis to delivery.
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the most current transport security protocol. This includes medical record uploads, form submissions, and report delivery.
Medical records, clinical analysis, and WhiteGlove Insights™ Reports are encrypted at rest using AES-256, the standard used by the U.S. government for classified information. Encryption keys are managed through a dedicated key management service.
Role-based access controls ensure that only authorized physicians and clinical staff involved in your specific case can access your records. Administrative staff have limited access on a need-to-know basis.
Every access to patient records is logged with timestamps, user identity, and action taken. Audit logs are immutable and retained for a minimum of 6 years per HIPAA requirements.
Our infrastructure is hosted on HIPAA-eligible cloud services with SOC 2 Type II certification. We undergo regular security assessments and vulnerability testing.
Payment processing is handled by Stripe, a PCI-DSS Level 1 certified processor. WhiteGloveMD never stores, processes, or transmits credit card numbers on its own servers.
BAAs are in place with all subprocessors who handle protected health information, including cloud infrastructure providers, communication platforms, and analytics tools.
All employees and contracted physicians complete HIPAA privacy and security training upon onboarding and annually thereafter. Training covers PHI handling, breach identification, and incident response.
We collect and access only the minimum amount of PHI necessary to perform the clinical review. Records not relevant to the cardiac case are not reviewed or retained.
In the unlikely event of a data breach involving PHI, we follow HIPAA breach notification requirements — including notification to affected individuals, the HHS, and, where required, media outlets — within 60 days of discovery.
Medical records and WhiteGlove Insights™ Reports are retained for a minimum of 6 years per HIPAA requirements, then securely destroyed using NIST-compliant data sanitization methods.
We maintain a documented incident response plan that is tested annually. The plan covers detection, containment, investigation, notification, and remediation of security incidents.
You have the right to access and obtain a copy of your protected health information held by WhiteGloveMD, including your WhiteGlove Insights™ Report and any records we maintain.
You may request amendment of your PHI if you believe it is inaccurate or incomplete. We will respond to amendment requests within 60 days.
You may request an accounting of disclosures of your PHI made by WhiteGloveMD for purposes other than treatment, payment, or healthcare operations.
You may request restrictions on certain uses and disclosures of your PHI. We will accommodate reasonable restriction requests.
You may request that we communicate with you about your PHI through specific channels or to specific locations.
You have the right to file a complaint with WhiteGloveMD or with the HHS Office for Civil Rights if you believe your privacy rights have been violated.
Our compliance team is available to answer questions about how we protect your data. For enterprise security reviews, contact us directly.
security@whiteglovemd.com