RCMTask security & HIPAA posture
RCMTask is a HIPAA-compliant SaaS designed for medical-practice back-office workflows. Data is encrypted at rest with AES-256 and in transit with TLS 1.2+, every action is captured in a tamper-evident audit trail, role-based access is enforced at every layer, and a Business Associate Agreement is available on all paid plans. The platform is hosted in HIPAA-eligible AWS regions in the United States.
HIPAA · AES-256 · TLS 1.2+ · Audit trail · US-hosted
How we protect your patient data.
Encryption at rest
AES-256 encryption applied to all data stored in databases, file storage, and backups. Encryption keys are managed through cloud KMS with strict access controls.
Encryption in transit
TLS 1.2 or higher for every connection — browser to app, app to database, and between internal services. HSTS preloaded on every domain we operate.
Audit trail
Every read, write, and admin action is timestamped with the actor, the affected record, and the change made. Retained per HIPAA guidance and exportable on request.
Role-based access
Role, location, and department enforce least-privilege access. Multi-tenant boundaries are enforced at the application AND database layers (RLS).
MFA on every account
Multi-factor authentication is mandatory for all platform and practice users. Trusted-device support reduces friction without compromising the second factor.
US-hosted, HIPAA-eligible
Production infrastructure runs on HIPAA-eligible AWS services in U.S. regions only. No customer PHI leaves the United States.
HIPAA — applied, not just claimed.
On activation, RCMTask applies a vetted set of HIPAA standard policies on your practice's behalf — Notice of Privacy Practices, designation of Privacy and Security Officers, sanction policy, workforce training plan, risk-analysis template, incident-response procedure, and more — and stores them in your compliance binder as downloadable PDFs. Each policy carries a supersession chain so you can prove what was in force on any given date.
A BAA is available on every paid tier.
Activation
Click-through BAA accepted during activation. Suitable for most small and mid-size practices; the executed copy is stored in your compliance binder.
Enterprise
Negotiated BAA tailored to your legal review. Sent on request to security@rcmtask.com.
Sandbox
Free Sandbox does not include a BAA because it never handles real PHI — demo data only.
Who else touches your data.
A current list of subprocessors used to provide the RCMTask service is available on request to security@rcmtask.com. Each subprocessor has signed a BAA with Rekha Technologies LLC.
Security questions
Is RCMTask HIPAA compliant?
Yes. RCMTask is built to the HIPAA Privacy, Security, and Breach Notification Rules. We sign a Business Associate Agreement on all paid tiers, encrypt PHI at rest and in transit, maintain a complete audit trail, and apply standard HIPAA policies on your practice's behalf.
Where is data stored?
In HIPAA-eligible AWS services in the United States only. No customer PHI is replicated outside the U.S.
How is data encrypted?
AES-256 at rest in databases, file storage, and backups. TLS 1.2 or higher for all data in transit, including between internal services.
Do you offer SSO and MFA?
Yes. Microsoft and Google SSO are supported alongside passwordless email login. MFA is mandatory on every account, with trusted-device support to reduce friction.
How do I report a security issue?
Email security@rcmtask.com. We acknowledge reports within one business day and respond per our incident-response policy.
Can we audit / review the platform before signing?
Yes. Enterprise prospects can request a security questionnaire response, a subprocessor list, a sample BAA, and a recorded walkthrough of audit-trail and access-control features.
Talk to our security team.
Questionnaire, BAA review, or subprocessor list — we respond within one business day.