SECURITY REFERENCE DOCUMENTATION

How Rectangle Health protects your data

Learn about every security control, compliance framework, and operational practice across the Rectangle Health platform.

Credentials and certifications

 

Jump to: HIPAA + PCI  |  Compliance  |  Data  |  Access  |  Monitoring  |  Infrastructure  |  People  |  Vendors

HIPAA + PCI: dual compliance for healthcare payments

Healthcare organizations accepting card payments face dual exposure — 
PCI violations for card data and HIPAA violations for PHI. Rectangle Health is designed from the ground up to satisfy both simultaneously.

  • PCI DSS

    Payment Card Industry Data Security Standard

    Status: Level 1 SAQ

    Bridge Payments is validated to PCI DSS standards as part of our P2PE solution. Cardholder data environments are scoped, isolated, and assessed by a Qualified Security Assessor (QSA).

    Payment card data is tokenized at capture — raw PANs are never stored in Rectangle Health systems. We support practices in their own PCI compliance journey through SAQ guidance and scope reduction strategies.

  • HIPAA

    Health Insurance Portability and Accountability Act

    Status: Compliant

    Rectangle Health maintains HIPAA compliance across the Privacy Rule, Security Rule, and Breach Notification Rule.

    We draw on more than 30 years of healthcare payments experience to responsibly protect HIPAA-regulated data, and we maintain controls aligned with all applicable PHI safeguard requirements. We offer a Business Associate Agreement (BAA) to all covered entity customers.

    Our HIPAA program is actively monitored using automated compliance tooling and reviewed on a regular cadence.

Further reading: How to choose a payment partner that protects both card and patient data

Additional compliance frameworks

  • HITRUST Certified

    HITRUST CSF — Common Security Framework

    Status: Certified

    HITRUST certification provides a unified framework covering HIPAA, NIST CSF, ISO 27001, and other standards. Our certification demonstrates enterprise-grade information security controls that extend well beyond individual regulatory requirements.

    Request certificate ›
  • AICPA SOC Certified

    SOC 2 Type II

    Status: Attested

    Independent third-party attestation of our security, availability, and confidentiality controls over a 12-month observation period. Report available to customers and prospects under NDA.

    Request report (NDA required) ›

Security controls

DATA SECURITY AND ENCRYPTION

  • Encryption at rest

    AES-256 bit symmetric encryption. All PHI and cardholder data encrypted at rest across production environments.

  • Data isolation

    Tenant data is logically isolated. Production environments are strictly separated from development and staging, with anonymized data in non-production environments.

ACCESS CONTROLS AND IDENTITY

  • MFA enforced

    Multi-factor authentication is required on all internal systems and customer-facing portals without exception.

  • Session management

    Configurable session timeouts. Forced re-authentication on sensitive actions. Concurrent session controls enforced.

MONITORING, DETECTION, AND INCIDENT RESPONSE

  • 24/7 SIEM monitoring

    Real-time log aggregation and anomaly detection across all production systems. Alerts route to an on-call security team around the clock.

  • Annual penetration testing

    Independent third-party penetration testing of the external attack surface, internal systems, and APIs. Findings drive remediation priorities.

PEOPLE, TRAINING, AND SECURE DEVELOPMENT

  • HIPAA security training

    All required employees complete HIPAA security training annually, consistent with regulatory and industry expectations.

  • Secure development (SDLC)

    Software development follows established security standards including secure coding practices, controlled access, routine vulnerability testing, and logging to reduce risk.

INFRASTRUCTURE AND AVAILABILITY

  • Physical infrastructure

    Rectangle Health hosts its platform on Amazon Web Services (AWS), which operates its underlying infrastructure under industry-leading security certifications including SOC, PCI DSS Level 1, and ISO. These certifications cover AWS's physical facilities and are inherited through the shared responsibility model.

  • Redundant architecture

    Multi-availability-zone deployment on AWS. No single points of failure in the production environment.

Vendor and subprocessor management

  • Rectangle Health maintains a formal Third-Party Risk Management (TPRM) program to identify, assess, and manage security risks posed by vendors that support our systems or access data.

  • All vendors with access to PHI or payment data are required to execute a BAA and/or DPA prior to onboarding, and are assessed against our security standards on an ongoing basis.

  • Our business continuity program explicitly accounts for third-party disruption scenarios, with defined contingency procedures and customer communication protocols.

Policies

  • Privacy

    Rectangle Health's Privacy Policy describes how we collect, store, use, and share voluntarily provided personal information. Rectangle Health does not use or disclose personal information other than as permitted in our Privacy Policy and applicable agreements with customers.

  • Responsible disclosure

    If you've identified a potential security vulnerability in Rectangle Health's products or infrastructure, we encourage responsible disclosure. Our security team responds within 48 hours.

Security and compliance resources

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.