Inbox Health is compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA), providing a secure environment to process, maintain, and store protected health information.
Security & Compliance for Healthcare Payments
Our Certifications and Third-Party Attestations for Healthcare Payment Security
We’re committed to the highest security and compliance standards in healthcare. Inbox Health engages external certifying bodies to ensure the policies, processes, and controls established and operated by Inbox Health meet or exceed applicable regulatory requirements and industry best practices.
HIPAA Compliant
PCI Compliant
Inbox Health is compliant with PCI DSS 4.0.1 under the Payment Card Industry (PCI) for the handling of credit card information.
SOC 2
Inbox Health maintains a rigorous SOC 2 Type 2 compliance standard ensuring reliable system availability and robust data integrity, as well as the highest levels of security, confidentiality, and privacy for your sensitive data.
Trust Service Principles
An independent assessment covers five total trust service principles (TSPs): security, availability, processing integrity, confidentiality, and privacy. The assessment is conducted by a cloud-based vendor that hosts independent inspectors, provides them with documentation of controls, and samples and tests their systems.
NIST
Inbox Health is compliant with National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems).
Two-Factor Authentication
Inbox Health requires two-factor authentication to provide an extra layer of security. Users must present two credentials (password and a one-time code) to verify identity for login.
Get started with Inbox Health today
Inbox Health was built for medical billers. Click below and schedule a quick chat – let’s get to know each other.
Your questions about Inbox Health's Security & Compliance, answered
-
What compliance requirements apply to healthcare payment platforms?
Healthcare payment platforms must meet two overlapping sets of requirements. HIPAA governs how protected health information (PHI) — including patient names, billing records, and payment receipts — is created, stored, and transmitted. PCI DSS governs how payment card data is handled during transactions. A platform that processes both patient data and card payments, as Inbox Health does, must be independently verified for compliance with both standards.
Show more -
Does Inbox Health sign Business Associate Agreements (BAAs)?
Yes. As a HIPAA-covered Business Associate, Inbox Health executes a Business Associate Agreement with every practice or billing company we work with. A BAA is a legally required document that defines how we handle your patients’ protected health information and what our obligations are in the event of a breach or security incident.
Show more -
What is the difference between PCI compliance and HIPAA compliance?
PCI DSS (Payment Card Industry Data Security Standard) protects credit and debit card data from fraud and theft. HIPAA protects protected health information (PHI) — any data that links a patient’s identity to their medical or billing history. In healthcare payments, both frameworks apply simultaneously. Satisfying one does not satisfy the other, which is why a billing platform should hold independent certifications for both.
Show more -
What does SOC 2 Type 2 mean for my practice or billing company?
A SOC 2 Type 2 report means an independent auditor has verified that Inbox Health’s security controls — covering security, availability, processing integrity, confidentiality, and privacy — operate effectively over time, not just on paper. For your practice or billing company, it means you have third-party proof that your vendor’s security posture is real and sustained.
Show more -
How does Inbox Health protect patient data from cybersecurity threats?
Inbox Health protects patient billing data through a layered security approach: end-to-end encryption for data in transit and at rest, tokenization to prevent raw card data from being retained, two-factor authentication enforced for all users, role-based access controls, and continuous audit logging. Our SOC 2 Type 2 certification verifies that these controls are audited and maintained on an ongoing basis.
Show more -
What happens if there is a data breach?
Inbox Health maintains documented incident response procedures aligned with HIPAA’s breach notification requirements. In the event of a confirmed breach involving protected health information, we notify affected clients and coordinate disclosure within the regulatory timeframes required by HIPAA — typically 60 days of discovery for covered entities.
Show more