Compliance Isn't Paperwork | It's Trust
LeadProfit is built on 13 years of IT security expertise, with controls designed to support HIPAA compliant workflows and alignment with SOC 2 Type II principles at the core of every design decision.
Privacy-Focused Attribution from the Ground Up
LeadProfit was designed with HIPAA compliance as a foundational requirement, not an afterthought. We understand that healthcare data demands more than standard analytics — it requires enterprise-grade security, privacy-safe matching, and comprehensive audit trails for SMB healthcare organizations.
Feature
Implementation
Minimum Use PHI Exposure
BAAs Available and Executed as Required
Encryption at Rest
Encryption in Transit
Access Controls
Audit Trails
Data Minimization
U.S. Data Storage
All patient matching uses a marketing identifier that is not identity expanding, & no PHI/PII is logged after processing.
Business Associate Agreements executed with all EMR partners and data processors
AES-256 encryption for applicable stored data
TLS for data transmission
Role-based access control (RBAC) with multi-factor authentication (MFA)
Comprehensive logging of all data access and system events
Only essential data is collected and retained; automatic purging after retention period
All data stored exclusively in U.S.-based data centers designed to support HIPAA-compliant operations
Feature
Minimized PHI Exposure
BAAs Available and Executed as Required
Encryption at Rest
Encryption in Transit
Access Controls
Audit Trails
Data Minimization
U.S. Data Storage
Implementation
All patient matching uses a marketing identifier that is not identity expanding, & no PHI/PII is logged after processing.
Business Associate Agreements executed with all EMR partners and data processors
AES-256 encryption for applicable stored data
TLS for data transmission
Role-based access control (RBAC) with multi-factor authentication (MFA)
Comprehensive logging of all data access and system events
Only essential data is collected and retained; automatic purging after retention period
All data stored exclusively in U.S.-based data centers designed to support HIPAA-compliant operations
Enterprise-Grade Security for Healthcare Data
LeadProfit’s security architecture is designed to meet the stringent requirements of healthcare technology. Built by a 13-year IT security expert, our platform incorporates defense-in-depth principles, zero-trust networking, and continuous security monitoring.
- Infrastructure Security
- HIPAA-compliant cloud hosting
- Network segmentation and firewall protection
- DDoS protection and intrusion detection
- Regular penetration testing
- Application Security
- Secure coding practices and code review
- Input validation and SQL injection prevention
- Cross-site scripting (XSS) protection
- Regular security updates and patch management
- Data Security
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Hashed patient identifiers (SHA-256 with salt)
- Secure key management (HSM or KMS)
- Access Security
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) required
- Session management and timeout policies
- Principle of least privilege
- Monitoring & Response
- 24/7 security monitoring and alerting
- Comprehensive audit logging
- Incident response plan and procedures
- Regular security training for all personnel
Specifically, the system is designed to NOT:
- Persist storage or analysis of PHI or PII for attribution purposes beyond transient, point-in-time resolution steps required to resolve revenue attribution closure
- Use IP addresses, device fingerprints, or behavioral tracking signals
- Use demographic or household identifiers
- Use external identity graphs or cross-platform identity stitching
Verified Compliance and Security Standards
LeadProfit is subject to periodic internal and third-party reviews to evaluate alignment with healthcare privacy requirements.
- HIPAA Compliant
Designed to Support HIPAA Privacy and
Security Rule Requirements with HIPAA Privacy and Security Rules
- SOC 2 type 2 Aligned
We’ve built our platform from day one following SOC 2 security principles. We will pursue
complete attestation as soon as our EMR partners require it.
Compliance Support for EMR Partners
We provide compliance documentation and agreements to EMR partners upon request.
- Business Associate Agreement (BAA) template
- Security and privacy policies
- Incident response procedures
- Data processing agreements (DPAs)
- Subprocessor list and agreements
Privacy-Safe Attribution Without Compromise
LeadProfit’s attribution methodology is designed to protect patient privacy while delivering accurate ROI data. Designed to minimize PHI handling and avoid persistent storage, and all patient matching uses privacy-safe techniques.
- Deidentified Identifiers
Patient matching uses unique identifiers. No names, email addresses, phone numbers, or other PHI are stored in LeadProfit systems.
- Data Minimization
We collect and process only the minimum data necessary for attribution in memory.
- Data Retention Limits
LeadProfit is designed to avoid persistent storage of PHI beyond transient processing. Security and audit logs are retained for six years for compliance purposes, but attribution data itself is not stored long-term and is purged automatically after processing.
- Access Restrictions
Only authorized practice administrators can access attribution reports. LeadProfit personnel never access client data except for technical support with explicit authorization.
Technical Controls
- Strict schema allow-list
- No ongoing correlation
Comprehensive Audit Logging
LeadProfit maintains tamper-resistant security and system audit logs to support partner
compliance requirements. Detailed documentation is available to EMR partners upon request.
Need More Security Information?
Download our comprehensive security whitepaper or schedule a compliance review with our team.