Fizy health
Patient data security

Patient data stays inside your clinic boundary

Fizy Health protects patient data with Postgres row-level security keyed on organization and clinic, role-based least-privilege access, TLS in transit, application-level encryption for designated high-sensitivity fields, audit trails on patient-linked cart and order activity, and engineering standards that keep PHI out of routine logs. Processing is governed by a BAA signed before production PHI is stored — with full control detail on the Security page and in the Privacy Policy.

Clinic security leads searching Fizy Health patient data security need the full stack: isolation, encryption, access, audit, and logging — not a single checkbox claim.

Start Ordering Free BAA at onboarding Security page
Row-level isolation TLS in transit Encrypted sensitive fields Least-privilege roles Per-line audit No PHI in logs
Data protection

How Fizy Health secures patient information

Patient data security on a pharmacy ops platform means keeping PHI inside the right clinic boundary, recording who accessed it, and never treating logs as a secondary chart export. Fizy Health documents these layers on the Security page; this guide maps them to the questions clinic security leads ask during vendor review.

  • Isolation

    Organization and clinic scoping in the database

    Patient, cart, and order data live in Postgres with row-level security keyed on organization and clinic assignment. Staff only see patients and orders for sites they are assigned to. Multi-location groups share one org login without data bleeding across unrelated tenants.

  • Access

    Least privilege by role and clinic assignment

    Role-based access separates prescribers, staff, and admins. Prescriber workflows carry NPI, DEA, and role gates where required. Team invites and permissions match clinic workflow — not everyone sees every patient in the organization by default.

  • Encryption

    Protected in transit and where fields demand more

    Traffic between browser, API, and database uses TLS. Designated high-sensitivity patient fields use application-level encryption at rest. Encryption at rest for infrastructure is provided by the database host; Fizy Health adds field-level protection where the threat model requires it.

  • Governance

    BAA, Privacy Policy, and audit accountability

    A BAA governs PHI processing before production go-live. The Privacy Policy describes collection, use, sharing, and retention. Patient-linked cart and order actions write audit records — see the Security page and audit trail guide for behavior detail.

Patient data security controls on the canonical Security page

HIPAA-aligned platform BAA before production PHI Row-level tenant isolation Audit on PHI-linked flows Webhook signature verification SOC 2 frameworks implemented

Who should review Fizy Health patient data security?

Built for you if

You store patient-linked order data and run formal vendor security review.

  • Security or compliance leads send questionnaires before approving a new pharmacy ops vendor.
  • You operate multi-site clinics and need isolation that matches real staff assignments.
  • You want audit trails and logging discipline documented — not implied by a HIPAA badge.
May not be ideal if

Your review scope does not include PHI on ordering platforms.

  • You only evaluate marketing-site traffic with no clinic account — production PHI controls apply after BAA onboarding.
  • You need a specific certification report today — request security documentation under NDA.
  • You expect Fizy Health to be your system of record for clinical charting — EMR remains your clinical record.
Security in product

Patient-linked surfaces protected by platform controls

Daily ordering workflows are where patient data moves on Fizy Health — on infrastructure designed for those touches.

Explore all platform capabilities
Learn more

Related security and privacy guides.

See the full Fizy Health guide
FAQ

Patient data security questions clinics ask.

  • Isolation

    Can staff at one clinic see another clinic's patients?

    No — when access is scoped correctly. Row-level security and clinic assignment gates limit staff to patients and orders for assigned sites. Unrelated organization accounts cannot read each other's data.

  • Encryption

    Is patient data encrypted?

    Yes. TLS protects data in transit between browser, API, and database. Designated high-sensitivity fields use application-level encryption at rest. Infrastructure encryption at rest is provided by the database host.

  • Logging

    Does Fizy Health log patient names or prescriptions?

    Engineering standards prohibit patient names, DOB, addresses, and prescription contents in routine application logs. Investigations use identifiers and audit rows — see the Security page for logging discipline.

  • Payments

    How is payment card data handled?

    Payment methods are tokenized through the payment processor integration. Fizy Health does not store full card numbers on platform servers — per the Privacy Policy FAQ on payment handling.

  • Sharing

    Who does Fizy Health share patient data with?

    Fizy Health shares information to operate the service — including routing orders to pharmacy fulfillment partners and processing charges — under BAA and Privacy Policy terms. We do not sell patient data or use it for third-party advertising.

Protect patients by default on refill day.

Review the Security and Privacy pages, sign your BAA at onboarding, and run patient-linked ordering on tenant-isolated, audited infrastructure.

Start Ordering Free BAA at onboarding Privacy Policy