TRUST CENTER

How Rectangle Health protects provider and patient data

Our security approach is built on a foundation of layered controls, rigorous compliance programs, and dedicated expertise — so your practice can focus on care, not risk. We protect two things most payment vendors protect only one: your patients’ card data and their protected health information.

Credentials and certifications

Protecting providers and their patients

Rectangle Health secures the full spectrum of healthcare payment data, because protecting your practice means protecting both sides of every transaction.

  • Payment data protection

    Payment data protection

    Bridge Payments is PCI DSS–validated. Cardholder data is tokenized at capture, encrypted in transit with TLS 1.2+, and encrypted at rest with AES-256. Raw card numbers are never stored in our systems.

  • Payment data protection

    Patient data protection

    We maintain HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule — and offer a BAA to all covered entity customers. PHI is protected throughout its lifecycle, from payment capture to records retention.

  • Payment data protection

    Resilience and reliability

    Rectangle Health is hosted on AWS with redundant, multi-availability-zone infrastructure. We maintain documented business continuity and disaster recovery plans, including contingency procedures for third-party disruptions, and operate 24/7 monitoring with defined incident response and customer communication protocols.

“Security isn’t a feature we add. It’s the foundation we build on. Every product decision at Rectangle Health starts with the question: does this protect the trust our customers place in us?

Christopher Frenz

Chief Information Security Officer, Rectangle Health

The HIPAA + PCI gap — and why it matters

Healthcare payments are uniquely complex. Every transaction touches two distinct categories of sensitive data — and two separate regulatory frameworks govern their protection.

  • PCI DSS protects 
cardholder data

    PCI DSS protects 
cardholder data

    Credit and debit card numbers, CVVs, and transaction data. Required for any organization that accepts card payments.

  • Payment data protection

    HIPAA safeguards protected health information

    Patient names, dates of birth, diagnoses, and any PHI connected to a payment transaction. Healthcare-specific and non-negotiable.

By the numbers

  • XX.X% Uptime SLA
  • 24/7 Monitoring
  • 30+ Years in healthcare
  • 37k+ Providers

Our approach to security and compliance

Security at Rectangle Health is an ongoing priority — not a point-in-time audit. We continuously validate our controls, prepare our teams, and improve our posture to stay ahead of evolving threats in healthcare payments.

  • Validate

    Annual third-party penetration testing and independent audits across PCI, HIPAA, HITRUST, and SOC 2. Continuous vulnerability scanning to identify and remediate issues before they become risks.

  • Prepare

    All employees complete annual HIPAA security training. Ongoing phishing simulation and remediation reinforces expected behavior across the organization. Incident response plans are documented, tested, and updated regularly.

  • Improve

    Findings from every audit, assessment, and incident drive measurable program improvements. Risk assessments are conducted on a regular cadence — not just ahead of certification renewals.

FAQ: Answers to your top security questions

Yes. Rectangle Health is designed to satisfy both frameworks simultaneously.
Bridge™ Payments is PCI DSS–validated, and we maintain HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule. We offer a Business Associate Agreement (BAA) to all covered entity customers.
Most payment vendors address one or the other, but healthcare payments require both.

Rectangle Health maintains a formal Third-Party Risk Management (TPRM) program. All vendors with access to PHI or payment data are security-assessed before onboarding and reviewed on an ongoing basis.

Our business continuity plans explicitly account for third-party disruption scenarios, with documented contingency procedures and customer communication protocols.

See our full vendor management program on the Security Reference page.

Rectangle Health operates under a documented incident response program with defined escalation, containment, and customer notification procedures. Notification timelines are consistent with HIPAA Breach Notification requirements. Our security team monitors production systems 24/7 and is empowered to act immediately upon detection of an incident.

Yes. All PHI is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 bit encryption.

Yes. Our SOC 2 Type II report is available under NDA. HITRUST certification documentation and PCI DSS validation summaries are available upon request. Contact our security team or visit the Security Reference page for details.

Need more technical or compliance details?

Our full Security Reference page covers every control, framework, and protocol across the Rectangle Health platform — including encryption specs, access controls, infrastructure details, and vendor management.

Security and compliance resources

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.