Legal

Compliance Documentation

Last Updated: May 19, 2026

Document Version: 3.0.1

Overview

Almond Connect is designed with healthcare compliance at its core. We maintain safeguards aligned with HIPAA requirements and integrate with PCI-compliant payment infrastructure to protect both clinical and financial data.

HIPAA Compliance

Business Associate Agreement (BAA)

All healthcare providers are required to sign a Business Associate Agreement during onboarding before accessing the platform. The BAA governs how Protected Health Information (PHI) is handled between you and Almond Connect.

  • BAA is signed electronically with a timestamp on record
  • Your signed BAA is available for download at any time from the Documents page
  • BAA execution is enforced before access to patient data

Protected Health Information (PHI)

We implement technical, administrative, and physical safeguards to protect PHI in accordance with the HIPAA Security Rule:

  • Encryption of data in transit and at rest
  • Additional encryption for sensitive clinical content such as progress notes, process notes, and patient general notes
  • Access controls to restrict data to authorized users
  • Audit logging of access and modifications to patient data
  • Secure session management

Authentication & Access Control

  • Password-based authentication for provider accounts
  • Optional two-factor authentication (2FA) via email verification – recommended for HIPAA compliance
  • Patient portal access secured by a combination of a unique emailed link, date of birth verification, and a provider-set Practice PIN
  • Automatic session expiration

Audit Logging

The platform maintains audit trails to support HIPAA accountability requirements, including:

  • User authentication events
  • Patient record access and modifications
  • Financial transactions and billing actions
  • Data export and deletion events
  • Document uploads and deletions
  • Security-relevant activities

Payment Security

Almond Connect integrates with Stripe for all patient payment processing. This architecture ensures that sensitive financial credentials never touch our servers.

  • Stripe is a PCI DSS Level 1 certified payment processor – the highest level of payment card security certification
  • Credit card numbers, bank account details, and other payment credentials are processed and stored exclusively by Stripe
  • Almond Connect does not store, process, or have access to raw payment credentials
  • Each patient billpay link is unique and tied to a specific bill
  • Stripe acts as a payment processor, not a HIPAA Business Associate. Consistent with HIPAA's payment-processing exemption, no protected health information beyond the payer's name and email is disclosed to Stripe – no diagnoses, procedure codes, or clinical details are included in payment descriptions or metadata
  • All financial transactions are logged for audit purposes

Data Protection

Encryption

  • Data encrypted in transit and at rest
  • Sensitive clinical content receives additional application-level encryption
  • Encrypted automated backups

Infrastructure

  • Hosted in SOC 2 Type II certified data centers within the United States
  • Automated backups with disaster recovery procedures in place
  • Environment isolation between production and development

Data Retention

Data is retained in accordance with applicable medical record retention requirements and the terms of the BAA. Upon account termination, data is securely disposed of using industry-standard methods.

Email Compliance

The Service sends automated emails on behalf of providers, including appointment reminders, billpay links, and patient portal access links. Our email practices include:

  • Industry-standard email authentication
  • Validated and sanitized email templates
  • CAN-SPAM compliant unsubscribe handling
  • Rate limiting and abuse prevention

Incident Response

We maintain documented procedures for responding to security incidents, including:

  • Immediate containment and assessment
  • Notification to affected parties as required by HIPAA and applicable state breach notification laws
  • Investigation and remediation
  • Post-incident review and improvement

Provider Responsibilities

While Almond Connect provides the technical safeguards described above, healthcare providers are responsible for:

  • Complying with HIPAA and all applicable federal, state, and local regulations
  • Enabling appropriate security features such as two-factor authentication
  • Safeguarding account credentials, Practice PINs, and patient portal access links
  • Verifying the accuracy of clinical documentation, billing information, superbills, and Good Faith Estimates
  • Obtaining appropriate patient authorizations
  • Reporting suspected security incidents to Almond Connect promptly

Compliance Contact

For compliance questions or concerns:

Almond Connect by Rainstorm Labs, Inc.
Email: hello@almondconnect.com