HIPAA-Aligned, BAA-Capable
VCPMS is architected to handle protected health information with appropriate controls. We sign Business Associate Agreements (BAAs) with state programs that need them.
Key benefits
- · Architected to handle PHI with appropriate access controls, encryption, and audit trails
- · BAA-capable — we execute Business Associate Agreements with covered-entity programs
- · Field-level change history with reason capture on victim and claimant data
- · Full audit log of every PHI touch per user
Why HIPAA matters here
Victim compensation claims routinely include protected health information — medical diagnoses, mental-health treatment, forensic-exam records. State programs that receive or generate PHI are subject to HIPAA when they operate as covered entities or business associates. A platform that fumbles PHI handling exposes the program to regulatory risk.
What VCPMS does
- Encryption at rest and in transit for all tenant data.
- Role-based access control with hierarchical permissions; access to PHI-sensitive fields requires specific permissions.
- Full audit trail on every PHI access and modification (who, when, what changed, from what to what).
- Reason capture on changes to victim and claimant information.
- Section-level locking — individual data sections can be locked to prevent unauthorized modification.
- Multi-tenant isolation so one program’s PHI never leaks to another’s users.
What we don’t claim
We don’t claim “HIPAA-certified” — there is no such certification. We claim the platform is architected consistent with HIPAA requirements and we are willing to execute Business Associate Agreements with covered-entity programs. Our security posture documentation is available as part of the RFP response package.