"HIPAA compliant" on a website is not a certificate you can verify in one click. What matters is whether the product and the vendor contract match how you will use patient data day to day.
Encryption: Is data encrypted in transit (HTTPS everywhere)? How is data encrypted at rest? Who holds the keys?
Access control: Can reception see schedules without seeing full clinical notes? Are roles enforced in the app and at the database layer?
Audit logging: Can you see who opened or changed a patient record? Are exports and deletions logged?
Support access: If the vendor helps you debug, is that session visible to your clinic and logged?
Portability: Can you export patients and visits to CSV if you leave? What is the retention period after cancellation?
Business Associate Agreement: Will they sign a BAA before you use real PHI in production?
Clinru is designed for HIPAA-aligned US clinic workflows. We share a security overview and BAA discussion for pilot clinics — and we label on our security page what is live now versus planned. Read that page, then talk to us if you need counsel to review.
Try Clinru with your clinic
14-day free trial · per-clinic pricing · built for US independent practices.