Security and trust
Built for healthcare. Built for trust.
Alma Health AI handles health information — the most sensitive data there is. We treat it that way.
Alma Health AI handles health information — the most sensitive data there is. We treat it that way.
The Alma platform is designed to meet the administrative, physical, and technical safeguards required for protected health information. Note: "HIPAA-compliant" is not a status that exists for software; we describe our design intent honestly.
Industry-standard encryption. Authenticated, logged, and role-restricted access on a need-to-know basis.
Patient data is used to deliver the service and improve the engine — nothing else.
Alma executes a BAA with every provider organization and health plan customer handling protected health information.
Database and application infrastructure hosted on SOC 2 Type II–attested platforms (Supabase, Vercel). The platform attestations cover the underlying hosting, network, and data-center controls — the layer where PHI lives at rest.
Alma's posture is to build on attested infrastructure rather than maintain a separate Alma-level SOC 2 audit. HIPAA-aligned application design, encryption, role-based access, and the audit trail described above sit on top of that foundation. Platform attestation reports are issued by the providers; Alma's application security posture is available under NDA for diligence reviewers.
The website at almahealthai.com does not collect, transmit, or store patient data. Form submissions collect only commercial contact data — name, email, organization, audience type, brief message. The product application at app.almahealthai.com is the HIPAA-scoped surface and is governed by separate architecture and security practices. No BAA is required for the marketing site itself.
Every recommendation made in Referral Review is timestamped, audit-tagged, and bound to the engine version and guideline source active at the time. The record per referral is immutable. The engine tracks which guidelines underpin each pathway — and when those guidelines update, the version history remains intact. A documented guideline-concordant decision is a defensible decision (Studdert et al., NEJM 2006).
Closed-loop accountability requires immutable audit records. Every AI-assisted recommendation is logged with source attribution, model version, guideline version, timestamp, and clinician decision (override or accept). The audit trail is queryable, exportable, and built for plan reviews and CMS data validation.
A clinical reference tool. Recommends. Does not prescribe, order, or refer.
The PCP's independent clinical judgment remains the standard of care.
The audit trail documents the recommendation and the clinician's decision.
We recommend general counsel review as part of pilot planning. Every client has.
Internal security review is conducted on each major release. Independent third-party penetration testing is in scoping; details available under NDA for diligence reviewers.
For security and compliance questions, please reach us via the contact form.