HIPAA-compliant — and BAA-backed
CodeMatch operates as a Business Associate under HIPAA. We sign a Business Associate Agreement before any Protected Health Information is exchanged. Every customer engagement starts there.
Security & compliance
Built for healthcare from day one.
HIPAA-compliant, SOC 2 compliant, BAAs in hand. The boring, necessary work — done before we ever look at a chart.
Encryption in transit and at rest
All data transmission uses TLS 1.3. All data at rest is encrypted with AES-256. Encryption keys are managed in a dedicated KMS with strict access controls.
Read-only EHR integration
CodeMatch never writes back to your EHR. We read the documentation and proposed claim; we surface findings in our own dashboard. Your record of truth stays your record of truth.
Isolated, audited infrastructure
Customer data is logically isolated. Infrastructure runs in U.S.-based HIPAA-eligible cloud environments. Every access is logged and retained per HIPAA requirements.
Role-based access controls
Internal access to PHI is restricted to a small named set of personnel with documented need-to-know. Access is logged, reviewed quarterly, and revoked at offboarding.
SOC 2 compliant
CodeMatch is SOC 2 compliant. Our current attestation and security documentation are available to independent practices and their compliance teams under NDA.
Need our compliance documentation?
Compliance teams at independent practices can request our current security posture, BAA template, and SOC 2 attestation under NDA. We respond within one business day.
Contact max@rotationmanager.com with the subject line “Security documentation request.”
See it in 15 minutes
Bring us one claim. We’ll show you what your scrubber missed.
Walk away with a real read on your documentation gaps — even if you never buy a thing.
Request Demo15-minute call. No prep required.