Security

Last updated: November 26, 2025

Contents

  1. Overview
  2. Certifications and third-party assessments
  3. Infrastructure security
  4. Application & client security
  5. AI requests and model providers
  6. Data indexing & analytics (embeddings)
  7. Privacy & data-use guarantees
  8. Account deletion & data removal
  9. Vulnerability disclosures
SnapshotDetails
FocusSecurity of OptimIQ Health, Risk Adjustment & Value-Based Care, Claims Intelligence, and Post-Acute Optimization
Compliance postureHIPAA-aligned technical safeguards and SOC 2–style controls for PHI workloads
Contactssecurity@optimiq.usprivacy@optimiq.us

Overview

Protecting healthcare data, PHI, and financial information across the OptimIQ platform is core to how we design and operate our systems.

This page explains, at a high level, how we approach security for:

  • OptimIQ Health (e.g., vitals / RPM, care management),
  • Risk Adjustment & Value-Based Care,
  • Claims Intelligence, and
  • Any embedded AI agents and dashboards used with those products.

For any security or privacy questions, you can contact:

If you believe you’ve found a vulnerability, please see Vulnerability disclosures.

Certifications and third-party assessments

OptimIQ is designed to align with industry frameworks such as:

  • HIPAA technical safeguards (access control, audit logging, transmission security, etc.), and
  • SOC 2 control families (security, availability, confidentiality),

but we do not claim to hold any specific certification (e.g., SOC 2 Type II) unless explicitly stated in a signed agreement or on an official trust or compliance page.

Our current posture includes:

  • Implementing SOC 2–style controls for access management, change management, logging, and incident response; and
  • A roadmap to engage independent third-party assessors (for example, penetration tests and architecture reviews) as the platform and customer base grow.

You can request more detail about our security roadmap and current controls by contacting security@optimiq.us.

Infrastructure security

We intentionally keep the core infrastructure stack narrow and well-defined:

  • Amazon Web Services (AWS) — primary hosting for the OptimIQ application stack, APIs, databases, queues, and storage.
  • Google Cloud Platform (GCP) — used for AI model inference and push notifications, not as the main system of record for PHI.
  • Cloudflare — used as a reverse proxy / CDN / WAF to help protect against common web attacks and to improve global performance.

All production infrastructure is hosted in regions located in the United States, unless a different region is explicitly agreed with a customer.

Key practices

Network segmentation & least privilege

  • Internal services are deployed in private subnets; public connectivity is limited to edge services and load balancers.
  • Security groups and firewall rules follow the principle of least privilege, exposing only the ports and paths required for each component.

Encryption

  • Data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest (e.g., in databases, object storage, and backups) is encrypted using industry-standard algorithms such as AES-256, typically managed via cloud key management services.

Access management

  • Production access is limited to a small set of authorized personnel and scoped by role and necessity.
  • Cloud accounts and administrative tools require multi-factor authentication (MFA) and strong password policies.
  • Access to PHI-containing systems is logged and periodically reviewed.

Logging & monitoring

  • Cloud and application logs (for example, AWS CloudTrail and load balancer logs) are collected for security analysis, troubleshooting, and audit support.
  • Alerts are configured for suspicious access patterns, configuration changes, and key infrastructure events.

We do not host infrastructure in China and do not knowingly engage subprocessors that would require PHI to be stored or processed there.

Application & client security

OptimIQ is delivered as a web application and as APIs consumed by browsers, backend services, and integrations with clinical and claims systems.

Core measures

Secure development lifecycle

  • Peer review for security-sensitive changes.
  • Dependency and vulnerability scanning for third-party libraries.
  • Regular patching of critical and high-severity issues.

Authentication & authorization

  • Support for email-based login and/or SSO / OIDC depending on your configuration.
  • Role-based access control (RBAC) to separate administrative, clinical, operational, and read-only roles.
  • Ability to scope data access by organization, program, and other logical boundaries.

Session security

  • Use of secure, HTTP-only cookies where applicable.
  • Session timeouts and token refresh policies to reduce exposure from idle sessions.

Multi-tenant isolation

  • Tenants (organizations) are logically isolated at both the application and data layers, so that one customer’s data is not accessible to another customer’s users.
  • Tenant identifiers are enforced across API boundaries to prevent cross-tenant access.

If your organization uses a corporate proxy or firewall, we can provide a list of domains and ports that should be allowed so that the OptimIQ web application and APIs function correctly.

AI requests and model providers

OptimIQ uses AI models to power features such as:

  • HCC / risk-adjustment and RAF-impact analytics,
  • Care-gap detection and prioritization,
  • Claims review assistance and denial-risk explanations, and
  • Embedded AI agents for chart review, coding review, and operational workflows.

How AI requests work

  1. Your client (browser or integration) sends a request to OptimIQ’s backend running on AWS.
  2. The backend retrieves relevant context (e.g., claims, visits, vitals, notes, and program configuration) from encrypted data stores.
  3. We construct a prompt that may combine:
    • The user’s query or requested action,
    • Relevant patient / member / claim context,
    • Policy, guideline, or configuration details, and
    • System-level safety instructions (e.g., avoid inventing codes, show uncertainty).
  4. For inference, OptimIQ may call GCP-hosted model endpoints (e.g., healthcare-appropriate models via Vertex AI or similar APIs).
  5. The model output is returned to OptimIQ’s backend, which may run post-processing (for example, formatting, filtering, and business rules) before returning a response to the client.

All AI traffic flows through our backend, even when you use your own GCP project or model endpoint, because prompt assembly, retrieval, and policy enforcement occur on OptimIQ’s servers.

Data handling with AI providers

  • For PHI workloads under a BAA, we use enterprise / HIPAA-eligible configurations where available and configure providers not to use PHI to train shared foundation models.
  • AI providers may retain limited logs to operate and secure their services, but they are contractually restricted from using your PHI for unrelated training or cross-customer profiling when used under appropriate SKUs.
  • Requests to model providers may contain PHI where functionally necessary (e.g., chart-based HCC suggestions) and are handled under your agreement with OptimIQ, including any BAA or data processing terms.

Data indexing & analytics (embeddings)

To support fast search, retrieval-augmented generation (RAG), analytics, and worklist generation, OptimIQ may index certain data you load into the platform, including:

  • Claims, encounters, diagnoses, procedures, and risk-adjustment inputs,
  • Clinical summaries or notes (where enabled), and
  • Policy, payer, or program documentation used to support decisions.

How indexing works

  • When data is ingested into OptimIQ, we parse relevant fields and compute embeddings—numeric vector representations used for semantic search and AI context retrieval.
  • Embeddings and limited metadata (such as record IDs, timestamps, and document types) are stored in managed databases or vector stores hosted on AWS and/or GCP, depending on the product configuration.
  • The source PHI remains in encrypted storage; embeddings are used to identify relevant records, and raw snippets are pulled at query time when needed for display or AI prompts.

We treat embeddings that can be tied back to individuals or PHI as sensitive and protect them with the same administrative, technical, and physical safeguards that apply to other health data in our systems.

If your organization requires that specific categories of documents or records not be indexed, we can work with you to configure ingestion and indexing rules.

Privacy & data-use guarantees

This section summarizes the parts of our privacy posture that are most relevant to security. For more detail, see the Privacy Policy and Data Use & Privacy Overview.

  • No sale of PHI or personal data. We do not sell PHI or patient/member data.
  • No ad-tech tracking on PHI. We do not use PHI for cross-site behavioral advertising or third-party ad networks.
  • No default training of global models on your PHI.
    • PHI and customer-identifiable data processed by OptimIQ are not used to train general-purpose models shared across customers, unless you have explicitly opted into such a program via contract and/or admin settings.
  • De-identified & aggregated data.
    • We may use de-identified or aggregated information (for example, high-level usage statistics or performance metrics) to improve reliability, capacity planning, and product design, but not in a way that identifies your organization or any individual.

For PHI handling and specific data-protection obligations, the Business Associate Agreement (BAA) between OptimIQ and your organization is the primary governing document.

Account deletion & data removal

You can request deletion of an account or tenant by contacting support@optimiq.us or your OptimIQ account representative. In multi-tenant or enterprise deployments, deletions are typically coordinated through your organization’s administrator.

Subject to legal and contractual retention requirements:

  • We will delete or irreversibly de-identify application-level data associated with that account or tenant from active systems.
  • Backups and disaster-recovery copies are retained only for their configured retention periods (for example, a 30–90 day backup window, depending on storage class and policy).
  • De-identified or aggregated analytics that no longer identify you or any individual are generally not removed, as they are no longer linked to personal data.

If your organization has contractual or regulatory retention requirements (for example, HIPAA, CMS, or payer contracts), those requirements will take precedence.

Vulnerability disclosures

If you believe you’ve found a security vulnerability or weakness in any OptimIQ product or service, we’d like to hear from you.

Please send reports to:

To help us investigate effectively, include (where possible):

  • A description of the issue and its potential impact,
  • Steps to reproduce (including URLs, payloads, and screenshots),
  • Any proof-of-concept code, and
  • Your contact information for follow-up.

Our commitments:

  • We will acknowledge receipt of your report within a reasonable time (typically a few business days).
  • We will investigate and prioritize fixes based on severity and potential impact.
  • For significant, customer-impacting issues, we will communicate appropriately with affected customers after remediation or once we have a clear remediation plan.

We ask that you:

  • Avoid accessing, modifying, or destroying data that does not belong to you;
  • Avoid actions that could degrade service for other users; and
  • Give us a reasonable opportunity to remediate the issue before publicly disclosing details.