Apps & Integrations

PHI & Privacy in Integrations

Protecting Patient Information

When connecting third-party apps, Chimera gives you control over what patient information is shared.

PHI Certification Toggle

Each app has a PHI certification toggle in its settings:

  • Enabled — patient names appear in calendar events and meeting titles. Use this when the connected service is covered by your BAA (Business Associate Agreement).
  • Disabled — events use generic titles like “Appointment” with no patient-identifying information. Use this for personal calendars or services not covered by a BAA.

What Gets Shared

Calendar events include:

  • Date, time, and duration
  • Appointment type name
  • Provider name
  • Patient name (only if PHI certification is on)

Calendar events never include:

  • Patient phone numbers or email addresses
  • Insurance information
  • Intake form responses
  • Any other health-related data

Credential Security

All app credentials (OAuth tokens, passwords, API keys) are encrypted at rest using Fernet symmetric encryption. Tokens are never exposed in API responses or the dashboard UI.

Tip: When in doubt, leave PHI certification off. You can always enable it later after confirming your BAA covers the connected service.

← Back to help