Data Encryption & HIPAA

How Chimera Protects Patient Data

Chimera is designed with healthcare data protection in mind. All patient-identifiable information is encrypted at rest, and the system follows HIPAA security best practices.

Encryption at Rest

All personally identifiable information (PII) is encrypted using Fernet symmetric encryption before being stored in the database:

• Patient names
• Phone numbers
• Email addresses
• Insurance information (carrier, member ID, group number)
• Intake form responses
• App integration credentials (OAuth tokens, passwords)

Data is decrypted only when accessed by authorized staff through the dashboard.

Data in Transit

All connections use TLS/HTTPS encryption with automatic certificate management.

Access Controls

• All dashboard access requires authentication (JWT tokens)
• Every database query filters by clinic ID (multi-tenant isolation)
• Model-layer ownership verification on all data mutations
• Failed login attempts are logged for audit

PHI-Free Communications

Patient communications (emails, SMS) are deliberately PHI-free:

• Confirmation emails include date/time and a management link, but no health details
• SMS messages include only the appointment date and time
• No diagnosis, treatment, or health information is ever sent via email or SMS

Tip: Review the PHI certification settings on your connected apps (Settings > Apps). Keep PHI certification off for services not covered by your BAA.