Security & Compliance Overview

RetentionHealth is designed as lightweight revenue stabilization infrastructure for subscription-based healthcare programs.

Security, simplicity, and minimal data exposure are core design principles.

Pilot Phase Data Design

The 8-week pilot program is intentionally structured to avoid handling Protected Health Information (PHI).

During the pilot:

  • • No patient names are collected
  • • No patient contact information is collected
  • • No medical records are accessed
  • • No EMR integration is required
  • • No patient identifiers are stored

All measurements during the pilot are aggregated at the group level for stabilization analysis.

This design eliminates the need for legal review, EMR integration, or a HIPAA Business Associate Agreement (BAA) during pilot participation.

What Is a BAA?

A Business Associate Agreement (BAA) is a legal contract required under HIPAA when a third party handles patient-identifiable health information.

Because the pilot avoids collecting or storing patient-identifiable data, a BAA is not required during the validation phase.

If clinics transition to a post-pilot retention system involving patient-level tracking, BAAs will be executed at that time.

Infrastructure

RetentionHealth is hosted on Cloudflare's global edge network.

Core infrastructure includes:

  • • Cloudflare Workers (serverless execution)
  • • Cloudflare Pages (static frontend hosting)
  • • Encrypted HTTPS connections
  • • TLS encryption for all data in transit

The system is designed to minimize stored data and reduce exposure surface area.

Data Scope During Pilot

RetentionHealth does not:

  • • Replace clinical systems
  • • Provide medical decision-making
  • • Modify prescribed medication protocols
  • • Store Protected Health Information
  • • Integrate with EMR systems during pilot phase

Behavioral inputs entered into the system during pilot are not associated with identifiable patient records and are used solely to generate adaptive reinforcement messaging within the session context.

No longitudinal patient profiles are stored during the pilot phase.

Access Controls

Clinic-level dashboards are accessible only through secure authentication.

Administrative access is restricted to authorized personnel.

Role-based access controls are implemented at the application layer.

Post-Pilot Compliance Expansion

If measurable drop-off reduction is demonstrated and clinics choose to move forward, RetentionHealth will transition to:

  • • HIPAA-compliant cloud infrastructure
  • • Encrypted patient identifiers
  • • Signed Business Associate Agreements
  • • Audit logs and access controls aligned with healthcare standards

Compliance expansion occurs only after value is validated.

Security Contact

For security-related inquiries: security@retentionhealth.com

Design Philosophy

RetentionHealth is engineered to minimize legal complexity during validation.

The pilot phase focuses on measurable stabilization without increasing compliance burden for participating clinics.

Security architecture evolves intentionally as the platform scales.