Security
Insight Health is SOC 2 Type II certified and HIPAA compliant. All webhook integrations must meet the following security requirements.
Requirements
| Requirement | Details |
|---|---|
| HTTPS only | All API calls must use HTTPS. HTTP requests are rejected. |
| HMAC verification | Always verify the X-Webhook-Signature header when receiving outbound notes. Use timing-safe comparison (hmac.compare_digest in Python, crypto.timingSafeEqual in Node.js). |
| Credential storage | Store API keys and signing keys in a secrets manager or environment variables. Never hardcode in source code or commit to version control. |
| Key rotation | Contact Insight Health to rotate keys. We support zero-downtime rotation by accepting both old and new keys during a transition window. |
| IP allowlisting | If your firewall requires allowlisting, contact Insight Health for our egress IP ranges. |
| HIPAA compliance | A BAA is executed during onboarding. All data is encrypted in transit (TLS 1.2+) and at rest. |
| PHI in payloads | Appointment payloads contain PHI (patient name, DOB, contact info). Both parties are responsible for handling this data in accordance with HIPAA. |
Never log the raw request body in production. Appointment and note payloads contain Protected Health Information (PHI) including patient names, dates of birth, and contact information.
Last updated on