TRUST CENTER
How Rectangle Health protects provider and patient data
Our security approach is built on a foundation of layered controls, rigorous compliance programs, and dedicated expertise — so your practice can focus on care, not risk. We protect two things most payment vendors protect only one: your patients’ card data and their protected health information.
Credentials and certifications
Protecting providers and their patients
Rectangle Health secures the full spectrum of healthcare payment data, because protecting your practice means protecting both sides of every transaction.
-
Payment data protection
Bridge Payments is PCI DSS–validated. Cardholder data is tokenized at capture, encrypted in transit with TLS 1.2+, and encrypted at rest with AES-256. Raw card numbers are never stored in our systems.
-
Patient data protection
We maintain HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule — and offer a BAA to all covered entity customers. PHI is protected throughout its lifecycle, from payment capture to records retention.
-
Resilience and reliability
Rectangle Health is hosted on AWS with redundant, multi-availability-zone infrastructure. We maintain documented business continuity and disaster recovery plans, including contingency procedures for third-party disruptions, and operate 24/7 monitoring with defined incident response and customer communication protocols.
“Security isn’t a feature we add. It’s the foundation we build on. Every product decision at Rectangle Health starts with the question: does this protect the trust our customers place in us?
Christopher Frenz
Chief Information Security Officer, Rectangle Health
The HIPAA + PCI gap — and why it matters
Healthcare payments are uniquely complex. Every transaction touches two distinct categories of sensitive data — and two separate regulatory frameworks govern their protection.
-
PCI DSS protects cardholder data
Credit and debit card numbers, CVVs, and transaction data. Required for any organization that accepts card payments.
-
HIPAA safeguards protected health information
Patient names, dates of birth, diagnoses, and any PHI connected to a payment transaction. Healthcare-specific and non-negotiable.
By the numbers
- XX.X% Uptime SLA
- 24/7 Monitoring
- 30+ Years in healthcare
- 37k+ Providers
Our approach to security and compliance
Security at Rectangle Health is an ongoing priority — not a point-in-time audit. We continuously validate our controls, prepare our teams, and improve our posture to stay ahead of evolving threats in healthcare payments.
-
Validate
Annual third-party penetration testing and independent audits across PCI, HIPAA, HITRUST, and SOC 2. Continuous vulnerability scanning to identify and remediate issues before they become risks.
-
Prepare
All employees complete annual HIPAA security training. Ongoing phishing simulation and remediation reinforces expected behavior across the organization. Incident response plans are documented, tested, and updated regularly.
-
Improve
Findings from every audit, assessment, and incident drive measurable program improvements. Risk assessments are conducted on a regular cadence — not just ahead of certification renewals.
FAQ: Answers to your top security questions
Yes. Rectangle Health is designed to satisfy both frameworks simultaneously.
Bridge™ Payments is PCI DSS–validated, and we maintain HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule. We offer a Business Associate Agreement (BAA) to all covered entity customers.
Most payment vendors address one or the other, but healthcare payments require both.
Rectangle Health maintains a formal Third-Party Risk Management (TPRM) program. All vendors with access to PHI or payment data are security-assessed before onboarding and reviewed on an ongoing basis.
Our business continuity plans explicitly account for third-party disruption scenarios, with documented contingency procedures and customer communication protocols.
See our full vendor management program on the Security Reference page.
Rectangle Health operates under a documented incident response program with defined escalation, containment, and customer notification procedures. Notification timelines are consistent with HIPAA Breach Notification requirements. Our security team monitors production systems 24/7 and is empowered to act immediately upon detection of an incident.
Yes. All PHI is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 bit encryption.
Yes. Our SOC 2 Type II report is available under NDA. HITRUST certification documentation and PCI DSS validation summaries are available upon request. Contact our security team or visit the Security Reference page for details.
Need more technical or compliance details?
Our full Security Reference page covers every control, framework, and protocol across the Rectangle Health platform — including encryption specs, access controls, infrastructure details, and vendor management.
Security and compliance resources
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
-
BlogHow to choose a payment partner that protects both card and patient data
-
BlogHIPAA compliance: Don't let false security become a million-dollar mistake
-
PressRectangle Health Reaffirms Robust Security Framework through PCI DSS Attestation of Compliance Renewal
-
BlogNavigating HIPAA compliance in small dental practices