Back to home

Security & HIPAA

How we handle your program’s data.

Lucida is an authorization-defense layer that reads from your EHR, CRM, billing, and payer portals — and never writes back to the clinical chart. We minimize what we touch, encrypt everything we store, scope every integration to least privilege, and default to the stricter interpretation whenever HIPAA leaves room. This page is the plain-English version; our BAA and security policies are available on request.

HIPAA posture

We operate as a business associate under HIPAA when we touch PHI. A BAA is available on request before any PHI is transmitted — and is required before we begin paid engagements. Our policies align with the 2026 HIPAA Security Rule updates, including mandatory encryption of ePHI at rest and in transit.

SOC 2 — in progress

SOC 2 Type I is targeted for Q3 2026; Type II follows 12 months of operational history. Until SOC 2 is completed, we publish our security controls in long form and welcome customer-led security reviews. If you need the unfinished report today, ask and we'll share what we have.

Encryption & access

PHI and customer data are encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based and limited to the specific clinical reviewer or engineer assigned to your program. Every access is logged. We run least-privilege by default — no engineer has standing production access.

What we store and for how long

For the free Authorization Defense Assessment: de-identified samples are retained no longer than 30 days after the assessment is delivered, then deleted. For paid engagements: data retention is governed by your BAA and defaults to 7 years for clinical records as HIPAA requires, with customer-directed deletion available at any time. Your data is never used to train models without explicit written consent.

Payer-portal automation security

Where we automate payer portals that have no API, every action runs with customer-controlled credentials, is scoped to least privilege, and is logged for audit. We never store payer credentials in clear text, and we document each automation down to the workflow step. Where a payer's terms of service constrain automation, we route through human-in-the-loop rather than fight the policy.

Security questions or BAA request?

Email security@lucida.ai for security reviews, SOC 2 status, or to request a BAA. We respond within one business day.

Found a vulnerability? Please report it privately to the same address — we’ll acknowledge within 24 hours and keep you informed through remediation.