Security & Trust
I'd rather tell you the truth than sell you a badge. This page covers two things: how your data is protected while it's with me, and the compliance help I can offer your practice — including the parts no vendor should ever promise.
How your data is protected
To build your briefing, Dermhilda works with the data your practice already keeps in ModMed — and treats every bit of it as protected health information, because that's what it is. A Business Associate Agreement is in place before any of it is touched. That comes first, always.
From there, the posture is built in layers, on the deliberate assumption that any one safeguard can fail and the rest should still hold. Patient data is encrypted at every stage — AES-256 at rest, and encrypted in transit across a private, zero-trust network with no public-facing way in. Access follows the HIPAA "minimum necessary" standard: role-based, multi-factor at every entry, and tied to a named person for every action, with no shared logins. The machines our team works on are locked down so that patient data is never stored on them, and temporary working data is wiped on a fixed schedule rather than left to pile up. Everything is monitored around the clock, backed up in encrypted off-site copies, and governed by an incident plan that can revoke access and isolate a threat within the hour. And the whole program is put through a formal HIPAA security risk assessment every year, documented as a system of record.
The same separation that runs through the product holds here too: each provider sees only their own numbers, and what you work through with Dermhilda stays inside your practice.
That's the short version. The full posture — technical, physical, and administrative safeguards — is laid out in the security overview below.
The full posture
We build on a deliberate assumption: any single safeguard can fail, so they're layered to back each other up. HIPAA sorts them into three kinds — technical, physical, and administrative — and so do we.
Technical safeguards
Physical safeguards
Administrative safeguards
That's the posture, top to bottom. If your IT or compliance team wants the detailed version, it's a download away.
Security overview · PDF
A plain-language walk through the technical, physical, and administrative safeguards behind Dermhilda — formatted to hand to your IT or compliance team.
Download the overview (PDF)Getting your practice there
HIPAA compliance isn't a box you check once — it's a posture you stand up and keep: a real risk assessment, written policies, trained staff, signed agreements, and documentation you can actually produce when someone asks for it. Starting from scratch, most practices find it a slog, and plenty never quite finish.
We've built exactly that for ourselves — the assessment, the policies, the training, the records, all run on AccountableHQ as our system of record. So when we help your practice get there, none of it is theory. It's the same program and the same platform we run on, set up for you — which gets you to a hard destination far faster than walking the path alone.
The destination stays yours: you own your compliance, and you sign your own policies. But the path doesn't have to be one you walk by yourself.
If you want help with your own compliance
To be clear, this is help with your practice's own compliance — separate from how we secure your data above. The HIPAA Workspace Module is optional, and built for practices running on Google Workspace Enterprise. We run your risk assessment, keep an audit-ready record of your policies, BAAs, and training, and administer the supported stack: Google Workspace Enterprise, Paubox, 1Password, iDrive, and Chrome Enterprise Premium.
Here's the honest shape of it. We assess, we document, and we advise. You own your compliance — you approve and sign your own policies, and the decisions about your practice stay yours. We don't warrant that you're compliant, because no one credibly can; what we give you is a real program, run properly, with the documentation to show for it.
It's built for small-to-mid practices. Larger or more complex environments are usually better served by the security platform they already have in place.
If your staff work remotely
This is for practices with people working outside the office. We give your remote staff secure virtual PCs we control end to end, so patient data lives in our environment and never touches their own computers. They simply log in; the workstation, and everything sensitive on it, stays with us.
Here's the honest shape of it. We manage the virtual PCs and the infrastructure behind them — the secure environment, backups, and access. Their home computers, printers, and network are out of scope and stay with your existing IT provider. You tell us how many remote people you'd like covered, and each one gets a secure PC of their own.
Securing remote workstations to a HIPAA standard is specialized work a general IT vendor often isn't set up to do. This is the part we take off your plate.
Get started
A company handling patient data should be able to answer hard questions without flinching. Bring yours — and your IT or compliance people — and we'll answer them directly, with documentation where it matters.
Dermhilda