HIPAA & Compliance
Built for regulated healthcare environments and hospital procurement review.
StrokePages does not store, process, or transmit Protected Health Information (PHI). The platform is architected to keep patient data inside the hospital's own systems, which means no Business Associate Agreement is required for the StrokePages service and hospital data never leaves your environment by way of StrokePages.
HIPAA Posture
StrokePages is designed specifically to operate outside the scope of HIPAA-regulated data flows. The platform handles activation metadata — event identifiers, role-based routing information, timestamps, and notification statuses — without ever receiving patient names, dates of birth, medical record numbers, diagnostic information, or any other element that would qualify as PHI.
Because StrokePages does not function as a Business Associate under 45 C.F.R. Parts 160 and 164, no Business Associate Agreement is required to use the platform. This significantly reduces vendor onboarding friction, contractual risk, and ongoing compliance overhead for hospital customers. PHI handling for activities adjacent to StrokePages — including the underlying clinical workflow, imaging, and the hospital's electronic health record — remains entirely under the hospital's own systems and policies.
Architecture and data flow are documented in the StrokePages Data Flow Overview, available to authorized hospital reviewers on request.
Risk Assessment & Security Review
StrokePages conducts security risk assessments using the NIST SP 800-30 Risk Assessment Framework, consistent with the methodology referenced in HIPAA Security Rule §164.308(a)(1)(ii)(A). The assessment evaluates the confidentiality, integrity, and availability of any electronic data processed by the StrokePages platform, including:
- System architecture and data flow
- Cloud hosting environment and database configuration
- Encryption controls for data in transit and at rest
- User access management and authentication
- Audit logging and activity monitoring
- Business continuity and disaster recovery measures
- Vendor and subprocessor risk management
- Administrative, technical, and physical safeguards
Most recent assessment: July 25, 2025. A formal HIPAA Risk Assessment Attestation Letter dated November 20, 2025 is available to authorized hospital reviewers on request.
Safeguards & Controls
StrokePages implements administrative, technical, and physical safeguards aligned with the HIPAA Security Rule, the NIST Cybersecurity Framework, and healthcare industry standards.
TECHNICAL
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- IP allow-listing
- Role-based access control (RBAC)
- Immutable audit logging
- Multi-factor authentication
- U.S.-region cloud hosting only
ADMINISTRATIVE
- Workforce access controls
- Documented security policies
- Vendor and subprocessor oversight
- Incident response procedures
- Annual security training
- Change management process
PHYSICAL
- Secure cloud infrastructure
- Provider-controlled data centers
- No on-premise systems
- Controlled administrative access
Audit Logging & Monitoring
All activity within the StrokePages platform is logged for security review and quality assurance. Audit records capture event type, authenticated user, timestamp, source IP, and resulting system action. Audit logs are stored in immutable storage and retained for at least one (1) year, or longer where required by applicable law or by hospital contract.
Activity types logged include activation events, user access events, security events, notification delivery events, and administrative changes. Logs are available to authorized hospital reviewers for audit and accreditation purposes under appropriate confidentiality terms.
Subprocessors & Third Parties
StrokePages uses a limited set of carefully selected third-party service providers to deliver the platform, including U.S.-region cloud infrastructure and standard SMS, email, and voice notification gateways. All subprocessors are evaluated under StrokePages' vendor risk management process and operate under contractual terms consistent with this compliance posture.
A current subprocessor list is available to authorized hospital reviewers on request under appropriate confidentiality terms.
Communications: SMS, Email, and Voice
StrokePages notifications to clinical staff — whether by SMS, email, push, or automated voice — contain only non-identifiable activation metadata such as event identifiers, role-based routing information, and timestamps. StrokePages messages never contain Protected Health Information on any channel.
StrokePages operates two separately registered messaging programs (a clinical stroke-alert channel and a customer-support business line), each maintained under U.S. wireless carrier 10DLC requirements with The Campaign Registry (TCR), with documented opt-in, opt-out, and anti-fraud practices.
For complete details on consent, opt-out, message frequency, fraud reporting, and the full regulatory framework (TCPA, CAN-SPAM, CTIA, and applicable state laws), see the StrokePages SMS & Email Communications Policy.
Data Use & Retention
StrokePages uses data only to support clinical operations, deliver notifications, and provide reporting and quality review to the contracting hospital. StrokePages does not sell, share, or use customer data for marketing or for any purpose outside the scope of the hospital's service agreement.
Non-identifiable activation metadata and audit logs are retained for at least one (1) year, or longer where required by applicable law, by hospital contract, or by accreditation requirements. Data is securely deleted or de-identified when no longer required for the purposes for which it was collected.
Incident Response & Notification
StrokePages maintains a documented incident response process covering detection, containment, investigation, remediation, and notification. In the event of a confirmed security incident affecting a hospital customer's data or service, StrokePages will notify the hospital's designated security or compliance contact promptly, and in any case consistent with applicable contractual and regulatory requirements.
Although StrokePages does not handle PHI — and therefore HIPAA breach notification under 45 C.F.R. §164.404 does not apply directly to StrokePages — we operate on the conservative assumption that any incident affecting customer trust is a high-priority event, and we communicate accordingly.
State & Federal Privacy Alignment
StrokePages aligns its data handling practices with applicable U.S. federal and state privacy laws, including:
- Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), to the extent applicable
- Texas Medical Records Privacy Act (HB 300), where applicable
- New York SHIELD Act, where applicable
- Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act for communications
- Other applicable state privacy and security laws
Procurement & Compliance Support
StrokePages actively supports hospital legal, IT security, and compliance teams during vendor review, contracting, audits, and accreditation preparation. We respond to vendor security questionnaires, provide architecture and data flow documentation, and participate in security review calls as needed.
Available Documentation
The following documents are available to authorized hospital reviewers on request under appropriate confidentiality terms.
| Document | Description |
|---|---|
| HIPAA Risk Assessment Attestation | Letter dated November 20, 2025, signed by the StrokePages Chief Technology Officer. Confirms most recent risk assessment completed under the NIST SP 800-30 framework. |
| Data Flow Overview | Diagram and narrative describing how activation metadata moves through the StrokePages platform, and confirming that no PHI is stored, processed, or transmitted. |
| SMS & Email Policy | Complete opt-in, opt-out, privacy, and anti-fraud policy for StrokePages messaging. (View public version at /sms-policy) |
| Subprocessor List | Current list of third-party service providers supporting the StrokePages platform. |
| Architecture & Security Brief | Technical overview of the StrokePages hosting environment, encryption standards, access controls, and audit logging. |
Request Compliance Documentation
For hospital procurement, legal, and security teams
If your organization is evaluating StrokePages and needs documentation for vendor review, please reach out. We routinely support due diligence with attestation letters, data flow diagrams, security briefs, and security questionnaire responses.
Request Compliance DocumentationContact
- Email: info@strokepages.com
- Phone: 646.568.6566
- Website: https://www.strokepages.com
StrokePages is a division of Upper East Care LLC. This page summarizes the StrokePages compliance posture and is provided for informational purposes. It does not constitute a contract, a Business Associate Agreement, or legal advice. Hospital customer agreements govern the contractual relationship between StrokePages and the hospital.