All systems operationalSynthetic demo · No PHI

Compliance & security

Trust is not part of the architecture. It is the foundation.

Doctors and nurses extend trust to their patients every day. FlexCare Nexus is built to earn theirs the same way — quietly, consistently, and in every detail: auditable signals, human review, and honest language about what the platform does and does not decide.

Commitments

Compliance posture, stated plainly.

Each item below is labeled honestly: what is built into the product today, what is a design principle, and what is on the certification roadmap. No compliance theater.

Design principle

HIPAA-aligned architecture

Access controls, minimum-necessary data handling, and audit trails are designed to align with HIPAA administrative, physical, and technical safeguards.

Roadmap

SOC 2 Type II

Controls are being built and documented against the Trust Services Criteria in preparation for a formal SOC 2 Type II examination.

Built in

Role-based access

Every workspace is permissioned by role. Clinical, integrity, and executive views expose only what each responsibility requires.

Built in

Encryption everywhere

Data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Session cookies are HTTP-only, signed, and short-lived.

Built in

Immutable audit logging

Signal creation, assignment, review, and resolution are recorded as an append-only event history visible inside the product.

Built in

Tenant data isolation

Every query is scoped to the authenticated organization and user. No cross-tenant reads, ever — enforced at the data layer.

Data stewardship

Handle every record like a clinician is watching.

Because one is. The people who use Nexus are accountable for real members — so the platform treats data access as a clinical act: deliberate, scoped, and recorded.

  • Synthetic demo data only

    Every name, date of birth, identifier, code, claim, and record in this environment is synthetic. No PHI is stored, processed, or displayed.

  • Identifier masking

    Member 360 ships with one-touch identifier masking so clinicians can review population views in shared or public settings.

  • Minimum necessary by default

    Views are scoped to the working task. Longitudinal detail is opened deliberately, logged, and closed — never left ambient on screen.

  • Retention with intent

    Operational data is retained per program requirements; review artifacts are preserved for audit defensibility, then archived on schedule.

Responsible AI

Signals prompt review. People make determinations.

Integrity Signals™ never accuse and never auto-deny. When Nexus detects a discrepancy between care delivered and care billed, it assembles the evidence chain, assigns a qualified professional, and holds the claim until a human decides. Every step is logged.

  • A licensed professional reviews every signal before any action
  • Evidence chains link the service, note, authorization, and claim
  • Modeled savings are labeled illustrative — never guaranteed
  • Audit history is append-only and visible inside the product
Signal lifecycle
  1. Signal detected

    Discrepancy identified; claim automatically held

  2. Professional assigned

    Routed to a licensed reviewer with full evidence

  3. Evidence reviewed

    Service, note, authorization, and claim compared

  4. Human determination

    Reviewer resolves, corrects, or escalates

  5. Audit preserved

    Every action recorded in the append-only history

Documentation integrity

Compliant notes are the first line of defense.

Nexus anchors every behavioral health encounter to a structured PIRP note — the same discipline auditors look for. When the note, the code, and the claim agree, care moves. When they disagree, a signal fires before the claim ever leaves the building.

P

01 · Problem

Presenting concern, functional impact, and the medical necessity of the session — captured in the clinician's words.

I

02 · Intervention

The specific clinical techniques delivered, skills modeled, and strengths reinforced during the encounter.

R

03 · Response

How the member engaged and responded, including progress against goals and any risk assessment performed.

P

04 · Plan

Next steps, frequency, homework, and coordination — the forward path that ties the note to the care plan.

PIRP: Problem, Intervention, Response, Plan — a documentation standard for behavioral health progress notes.

Questions, concerns, or disclosures?

Security researchers, compliance officers, and program partners can reach the FlexCare team directly. We respond to responsible disclosures and compliance inquiries as a priority.

This environment is a synthetic MVP. All data is fictitious, no PHI is processed, and certification statements labeled "Roadmap" describe planned — not completed — audits.