Built for Healthcare Compliance
Recovery Journey meets the highest standards for healthcare data protection, including HIPAA Privacy and Security Rules and 42 CFR Part 2 substance use disorder confidentiality.
HIPAA Privacy & Security Rule
Our platform implements the full spectrum of HIPAA technical safeguards. These controls are not add-on features; they are fundamental to how Recovery Journey is built.
Access Controls
- Unique user identification for all staff accounts
- Role-based access control (Super Admin, Facility Admin, Counselor)
- Minimum necessary access principle enforced at the application level
- Emergency access procedures documented and testable
- Automatic session termination after 15 minutes of inactivity
Audit Controls
- Comprehensive audit logging of all PHI access and modifications
- Immutable audit records with user ID, timestamp, action, and resource
- Field-level tracking of viewed and modified patient data
- Batch-queued logging with immediate dispatch for critical events
- Audit log retention for minimum 6 years per HIPAA requirements
Transmission Security
- TLS 1.3 encryption for all data in transit
- WebSocket connections encrypted end-to-end
- Certificate pinning for mobile applications
- API requests authenticated with JWT tokens
- Rate limiting and request throttling to prevent abuse
Data Integrity
- AES-256 encryption for all data at rest
- Automated database backups with point-in-time recovery
- Input validation and sanitization with Zod schemas
- Rich text sanitization through DOMPurify to prevent XSS
- Data validation at both client and server boundaries
42 CFR Part 2
Substance use disorder treatment records require protections beyond standard HIPAA requirements. 42 CFR Part 2 restricts disclosure of SUD patient identifying information and imposes additional consent and confidentiality obligations.
Recovery Journey is purpose-built for SUD treatment providers, which means Part 2 compliance is woven into every feature, from consent management to audit logging to re-disclosure controls.
Technical Safeguards
A detailed look at the security architecture protecting your data.
Authentication
Secure password hashing with bcrypt. Access tokens stored in memory only and never persisted to localStorage, sessionStorage, or cookies. Refresh token rotation prevents replay attacks.
Session Management
Automatic session timeout after 15 minutes of inactivity with a 2-minute warning. Logout requires a reason parameter for audit purposes. Device tracking identifies concurrent sessions.
Authorization
Three-tier role system: Super Admin, Facility Admin, and Counselor. Each role has precisely scoped permissions. All API endpoints enforce authorization middleware before processing requests.
Threat Protection
Security headers including CSP, HSTS, X-Frame-Options, and X-Content-Type-Options. Rate limiting on all endpoints. Request sanitization strips potential injection vectors from all inputs.
Monitoring
Real-time monitoring of failed authentication attempts with automatic lockout. Anomalous access pattern detection. Health check endpoints for uptime monitoring.
Infrastructure
Deployed on SOC 2 compliant cloud infrastructure. Network isolation with VPC. Regular security assessments and penetration testing. Automated vulnerability scanning.
Business Associate Agreement
A Business Associate Agreement (BAA) is included with all Enterprise plans and available upon request for Professional plan subscribers. Our BAA covers all aspects of data handling, storage, transmission, and breach notification procedures.
Contact our sales team to discuss your compliance requirements and obtain a BAA for your organization.
Request a BAA