Trust at Indigo Health
Healthcare software lives or dies on trust. We built Indigo Health so that trust isn’t a marketing claim — it’s the architecture.
This page is the short version. The full policy library and BAA are available to prospects and customers under NDA, and our team is happy to walk your security and compliance reviewers through any of it.
We’re a Business Associate. That’s it.
Indigo Health operates exclusively as a HIPAA Business Associate. We don’t practice medicine. We don’t supervise clinicians. We don’t decide what counts as a medical record. Our customers — the Covered Entities who treat patients — make those decisions, and we process PHI only as their BAA directs.
A single, focused legal role means fewer surprises in your vendor risk review and a cleaner story for your regulators.
Your patient data isn’t on our laptops. By design.
The single most important thing about how Indigo Health is built: PHI lives in the production database, and nowhere else.
We call this our minimum-access PHI architecture, and it’s not a policy we ask people to follow — it’s how the platform is built:
- PHI stays inside the production database. It is not copied to developer laptops, analytics warehouses, or test environments. Non-production environments contain no PHI, period.
- Our workforce does not routinely access PHI to do their jobs. Internal tools surface the operational context our team needs — without exposing the underlying clinical content.
- Access events are logged with user, time, and component metadata, with no PHI payloads in the logs themselves. The audit trail is rich; the data exposed by the audit trail is not.
- The narrow exceptions, such as emergency “break-glass” access, require dual authorization and are fully logged and reviewed.
When a vendor is breached, every Covered Entity asks the same question: “how much of our patient data did that vendor have sitting around?” For Indigo Health, the honest answer is: it was in one place, behind production controls, and it was never on anyone’s laptop.
A complete HIPAA Security Rule program — in writing.
Compliance shouldn’t be a vibe. Ours is a documented library of policies and procedures, organized to the HIPAA Security Rule, so your reviewers can map our controls to the regulation directly.
Administrative safeguards. Risk analysis and risk management, workforce sanctions, workforce security and onboarding, role-based access management, security training and awareness, contingency planning, logging and monitoring, backup and restore, business continuity and disaster recovery, and security incident response and breach notification.
Physical safeguards. Physical and environmental security, and protection and sanitization of data and storage media.
Technical safeguards. Secure software development and vulnerability management, change and configuration control, encryption key management, and information system activity review.
Vendor and supply chain. Documented subprocessor management and onboarding. Any third party that handles PHI on our behalf is bound by HIPAA-compliant agreements.
This isn’t a slide deck. It’s a maintained, version-controlled library that our own team operates against every day.
When something happens, you’ll hear from us.
We notify affected customers of confirmed security incidents involving their PHI in accordance with the executed Business Associate Agreement and HIPAA’s Breach Notification Rule. Incident triage, containment, and notification are governed by our Security Incident Response and Breach Notification Policy and the supporting procedures — so the response on the worst day isn’t improvised.
Vendor reviews, made easy.
We know what a vendor risk questionnaire looks like. We’ve designed our compliance posture so the answers are ready before you ask.
| Document | How to get it |
|---|---|
| Privacy Notice | Public — see Privacy Notice |
| Terms of Service | Public — see Terms |
| Business Associate Agreement (template) | Available on request |
| Full policy library (POL documents) | Available under NDA |
| Subprocessor list with BAA status | Available under NDA |
| Detailed procedures, runbooks, and evidence | Internal — covered during deeper assessments |
Talk to us
Security and compliance reviewers — we’d rather meet you early than late. Reach us at security@indigo.health, or for general inquiries, hello@indigo.health.
Last reviewed: May 2026