Security & Compliance
Ask us the hard questions. We prefer it.
Hospice pharmacy data is protected health information, and the platform that carries it should answer for how. Here is how MerlinRx does, in plain language.
HIPAA & Business Associate Agreements
MerlinRx operates under Business Associate Agreements with every client. The platform is built with HIPAA-compliant data handling throughout. Protected health information lives in the clinical platform, governed by the BAA, and nowhere else.
Role-based access
Access in MerlinRx follows the work. Defined roles and team-level assignments mean a nurse, a pharmacy coordinator, and a finance manager each see what their job requires. Permissions are granted by role, not by habit.
EPCS identity proofing & two-factor authentication
Electronic prescribing of controlled substances carries DEA requirements for identity proofing and two-factor authentication, and MerlinRx implements both natively. Every controlled-substance signature is tied to a proofed identity and a second factor.
This website collects no PHI
The site you are reading now is a marketing site. It contains no patient data and asks for none; the forms here collect business contact information only. Clinical data stays in the clinical platform.
Under the Hood
How the platform is protected.
These are engineering facts, not marketing language. Each one is something your IT reviewer can ask us to demonstrate.
U.S. data residency
All platform data is hosted in cloud infrastructure located in the United States, deployed across multiple availability zones, under a signed Business Associate Agreement with our infrastructure provider.
Encrypted in transit
TLS on every connection: browser to platform, service to service, and application to database. HTTPS only, with strict transport security enforced.
Encrypted at rest
AES-256 encryption for databases, document storage, and backups, with managed key infrastructure handling key storage and rotation.
Network isolation
Databases live on private network segments with no internet access. Each layer accepts connections only from the layer in front of it.
Append-only audit trail
Every action that touches patient data writes an audit event that cannot be edited or deleted, retained for six years. Infrastructure activity is logged independently.
Backups & recovery
Automated, encrypted backups with point-in-time recovery, and a documented disaster recovery plan with defined recovery objectives.
Monitored around the clock
Automated monitoring and alerting on error rates, latency, and audit integrity, routed directly to the engineers who built the system.
No credentials in code
Secrets live in a managed, encrypted secrets store with audited access. Automated scanning blocks credentials from ever entering the codebase.
Certifications, honestly.
MerlinRx does not yet hold SOC 2 or HITRUST certification, and we will not imply otherwise with a wall of look-alike badges. We operate under a formal HIPAA policy program covering risk assessment, incident response, data retention, business continuity, vendor risk, security training, and vulnerability management.
We are building toward HITRUST e1 certification and align our controls to it today, so that certification follows the discipline rather than replacing it. Ask us where we are in that process and we will show you, specifically.
For Your Procurement Team
Documentation, not assurances.
Security review is a standard part of how hospices evaluate any platform that touches patient data, and we treat it as part of onboarding, not an obstacle to it. Bring your security questionnaire, your IT reviewer, or your compliance officer.
We will walk through our security posture directly and provide documentation as part of your procurement process. Where you need something we have not yet produced, we will tell you that plainly rather than papering over it.
You will get direct answers from the people who built the system, not a compliance inbox.
What to ask any vendor, including us
- →Will you sign a Business Associate Agreement, and what does it cover?
- →Who in your organization can access our patient data, and how is that controlled?
- →How is prescriber identity verified for controlled-substance prescribing?
- →What happens to our data if we leave?
Put your security questions on the agenda.
Bring your compliance officer to the conversation. We'll answer in specifics.
Schedule a Conversation