Security

Security and healthcare controls

AIOVIX designs healthcare software with practical security controls from the start. This page explains the controls we normally discuss during project scoping. It is not a certification claim.

Last updated: June 1, 2026

Public form notice

Please do not submit protected health information, patient records, diagnosis details, treatment details, insurance IDs, or other sensitive patient data through public website forms. If a project requires PHI, we handle that only after the proper agreement, access controls, and client-approved workflow are in place.

Our default security posture

  • Least-privilege access for internal users, client users, service accounts, and integrations.
  • Environment variables and secrets kept out of source code and reviewed before deployment.
  • Transport encryption for production traffic and project-specific encryption choices for stored data.
  • Role-based access controls for admin, staff, provider, patient, manager, and support views where applicable.
  • Audit-friendly event history for sensitive actions such as review, export, assignment, approval, and write-back.

PHI-aware project handling

  • Public website forms are not used for PHI intake.
  • Projects involving PHI are scoped separately with client-approved hosting, access controls, retention, and vendor choices.
  • BAA requirements are reviewed before any system is configured to process PHI.
  • Sensitive workflows use human review paths where clinical, insurance, behavioral health, billing, or compliance judgment is involved.

AI guardrails

  • AI features are scoped for support, summaries, routing, documentation help, review queues, and operational assistance.
  • AI systems are not positioned as clinical decision makers, diagnosis providers, therapists, or replacements for qualified staff.
  • High-risk outputs can be routed through staff approval before export, write-back, patient communication, or operational action.
  • Prompts, tools, data access, and retrieval sources are constrained to the smallest useful workflow.

Integrations

Healthcare integrations are planned around the safest available path: official APIs where available, read-first modes during early rollout, limited write-back, webhook logging, file-based fallback where appropriate, and client-approved permission scopes.

What we do not claim

  • This page does not claim that AIOVIX is HIPAA certified. HIPAA does not work as a simple website badge.
  • This page does not replace a client security review, legal review, compliance review, risk analysis, or BAA.
  • Controls vary by project, hosting environment, data type, vendors, user roles, and client requirements.

Questions

Email hello@aiovix.com for privacy, security, legal, or project-scoping questions.