Last Updated on @January 4, 2023
Security and privacy is a core value of Codex Health’s mission to improve patient health outcomes in a cost-effective manner. All technology solutions are designed with a high degree of respect for user security, privacy, and HIPAA compliance.
Codex Health is SOC2 Type II certified and has an independent third-party HIPAA Compliance Attestation. The SOC2 Report and HIPAA attestation is available upon request: privacy@codexhealth.com.
Codex Health has appointed a Security and Privacy Officer. Feel free to contact our Compliance Officer if you have any questions or concerns about Codex’s policies or practices:
Zane Silver – privacy@codexhealth.com
170A University Avenue
Palo Alto, CA 94301
Codex does not provide medical care and is not a Covered Entity under HIPAA (US Health Insurance Portability and Accountability Act).
Codex Health is considered a HIPAA Business Associate to our healthcare provider partners.
Codex manages all consumer health information (CHI) and electronic protected health information (ePHI) in compliance with its Business Associate Agreements with its Covered-Entity partners.
The patient data may be anonymized - in alignment with the the HIPAA Privacy Rule guidelines - such that original data cannot be traced back to an individual follows. Anonymized ePHI may be retained indefinitely for product and research purposes.
Codex uses Google Cloud Platform (GCP) to host our applications. We make full use of the security products embedded within the GCP ecosystem: Secret Manager, Security Command Center, and more. In addition, we deploy our application using containers and functions run on GCP’s fully-managed serverless platform - meaning we typically do manage the server instances in production.
Codex encrypts all data at rest and in transit for all of our customers. We use Google-managed cryptographic keys, using the same hardened key management systems that Google uses for its own encrypted data. In line with industry best-practices, we enable and audit all data access requests within our GCP infrastructure and applications.
Codex is based in the US. We store and process your data in the United States in multiple GCP Locations.
Codex regularly engages some of the industry’s best application security experts for third-party penetration tests. Our penetration testers evaluate our running application, the deployed environment, and authentication mechanisms. Codex also uses use a high-quality automated developer security platform to monitor and detect software security vulnerabilities in real-time.
Additionally, Codex undergoes regular, independent third-party audits. SOC2 Reports & HIPAA Attestations are available to healthcare provider customers via request: privacy@codexhealth.com.
Codex has obtained the following compliance certifications:
In the future, the company may receive the following certifications
Please note that Codex’s current business scale excludes the company from various US state laws (i.e. CCPA) regarding state controls and requirements. Additionally, Codex Health does not conduct business and prohibits the use of our services outside the United States. The company operates outside of the EU and the jurisdiction of GDPR regulations.
If you have any questions or concerns about Codex’s security and compliance, please contact us at support@codexhealth.com.
