Moonshot Clinic is built from the ground up for HIPAA compliance. We don't bolt security on as an afterthought -- it's in the architecture.
Every authentication mechanism is designed to prevent credential theft, session hijacking, and unauthorized access -- not just check a compliance box.
Memory-hard key derivation that makes brute-force attacks computationally infeasible, even with GPU clusters.
Cryptographically random session tokens hashed before storage. Tokens are never stored in plaintext on the server.
Session tokens are transmitted via httpOnly, Secure, SameSite cookies. Never in response bodies, query strings, or localStorage.
Sessions expire after 30 minutes of inactivity. Configurable per tenant for stricter requirements.
TOTP authenticator apps, passkeys (WebAuthn), and SMS verification. Required for EPCS prescribing.
Every clinic's data is isolated at the database level. There is no configuration that allows one tenant to access another's records -- the database enforces this, not application code.
PostgreSQL RLS policies enforce tenant boundaries on every table containing patient or clinic data.
RLS is enforced even for table owners. No superuser bypass, no escape hatch.
Every row in the database carries a tenant identifier. Queries without a valid tenant context return zero results.
The tenant context is set once per HTTP request using Node.js AsyncLocalStorage and flows through every database call automatically. No developer can forget to filter by tenant.
Data is encrypted everywhere it exists -- at rest, in transit, and at the field level for the most sensitive identifiers.
Sensitive fields like driver's license numbers are encrypted with AES-256-GCM using a dedicated encryption key. Decryption happens only at the application layer, on demand.
All traffic between browsers, APIs, and databases is encrypted with TLS 1.2 or higher. No plaintext connections are accepted.
RDS, S3, and all storage services use AWS-managed encryption keys for data at rest. Backups are encrypted with the same protections.
Every clinical action, login attempt, and record access is logged to an immutable audit trail. This is not optional and cannot be disabled.
Audit log entries cannot be modified or deleted -- by anyone, including administrators. Database triggers enforce immutability.
Audit logs are retained for a minimum of 6 years per HIPAA requirements. No manual purging, no data loss.
Chart opens, prescription writes, lab orders, record exports, login attempts, permission changes -- every action that touches patient data is recorded with who, what, when, and from where.
Every plan includes a BAA. No upgrade required, no sales call, no waiting period.
Download our BAA immediately -- no form, no email gate. BAA signing is built into the onboarding wizard so you're covered from the moment you create your account.
The entire stack runs on AWS with redundancy, automated failover, and continuous monitoring.
Database runs across multiple AWS availability zones with automatic failover. A zone goes down, your clinic stays up.
Point-in-time recovery with automated daily snapshots. Backups are encrypted and retained per your retention policy.
Health checks run every 30 seconds. If the primary endpoint fails, DNS failover triggers automatically.
Application processes are managed by PM2 with automatic restart on crash, memory limits, and zero-downtime reloads.
Patient documents, images, and reports are stored in S3 with CloudFront CDN distribution for fast, reliable access.
API abuse, credential stuffing, and brute-force attacks are stopped before they reach your data.
Failed authentication attempts trigger exponentially increasing delays. Automated attacks become impractical after a handful of tries.
Restrict API access to known IP ranges. Available on Professional and Enterprise plans for clinics with fixed network infrastructure.
Rate limits are tuned per endpoint. Login endpoints have tighter limits than read-only data endpoints. No one-size-fits-all throttling.
Your data is yours. Export everything -- patients, charts, labs, billing history -- at any time in standard formats. No lock-in, no export fees, no data hostage.
If you cancel your account, your data remains accessible for 90 days so you can complete your migration on your schedule. After that, it's securely deleted per HIPAA requirements.
We don't just say we're compliant. Here's where we stand on every relevant standard.
BAA provided on all plans
ActiveE-prescribing network
ActiveDEA-compliant controlled substances
ActiveLevel 1 payment security
ActiveType II audit
In ProgressStart your free trial with full HIPAA compliance from day one. BAA included.