HIPAA Compliance and Data Security Statement

Last Updated: May 2025

Introduction

TrCare from ThinkRoman Health Services is a secure, global medical second opinion platform operated by ThinkRoman Ventures LLP. We are committed to safeguarding all protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of the United States.

To ensure full HIPAA alignment and maintain 100% data security, we have implemented the following safeguards:

✅ Technical Safeguards (Core Web Infrastructure)

Data Encryption

• In transit: All data is transmitted over HTTPS using TLS 1.2+ encryption.
• At rest: All data in MongoDB is encrypted using AES-256 encryption standards.

Authentication & Access Control

• Secure login via NextAuth, integrated with OAuth2 / SAML, and enhanced with WhatsApp OTP (Meta API) and email OTP (Resend).
• Role-based access control (RBAC) enforced across platform.
• Multi-Factor Authentication (MFA) required for providers and admin users.

Audit Logging

• All user activity is logged, including timestamps and IP addresses.
• Logs are stored in tamper-proof, encrypted systems.

Secure File Handling

• Uploaded documents are encrypted and stored in compliant cloud storage (Cloudflare R2 with server-side encryption).
• Temporary document access is via signed, expiring URLs.

HIPAA-Compliant Data Retention & Deletion

• Users may request permanent deletion of their data at any time.

Privacy Policy & Consent

• Our Terms of Service and Privacy Policy explain how PHI is collected, used, and secured.
• Patients must provide explicit HIPAA consent before uploading any personal health information or starting a consultation.

✅ Physical Safeguards (Hosting & Device Security)

Cloud Hosting Infrastructure

• Services are hosted on HIPAA-compliant providers such as AWS, Microsoft Azure, or Google Cloud.
• Access to production environments is limited and controlled via bastion hosts or secure VPNs.

Endpoint Device Security

• Full disk encryption on all staff and provider systems.
• Active firewalls and antivirus software enforced.
• Strong password enforcement and secure login policies.

Ongoing Compliance Commitment

We are committed to continual monitoring and improvement of our systems to ensure ongoing HIPAA compliance and secure handling of all user data.

If you have any questions about our data security practices or compliance procedures, please contact us at:

📧 Email: admin@thinkroman.com