HIPAA-aligned architecture
Access controls, minimum-necessary data handling, and audit trails are designed to align with HIPAA administrative, physical, and technical safeguards.
Compliance & security
Doctors and nurses extend trust to their patients every day. FlexCare Nexus is built to earn theirs the same way — quietly, consistently, and in every detail: auditable signals, human review, and honest language about what the platform does and does not decide.
Commitments
Each item below is labeled honestly: what is built into the product today, what is a design principle, and what is on the certification roadmap. No compliance theater.
Access controls, minimum-necessary data handling, and audit trails are designed to align with HIPAA administrative, physical, and technical safeguards.
Controls are being built and documented against the Trust Services Criteria in preparation for a formal SOC 2 Type II examination.
Every workspace is permissioned by role. Clinical, integrity, and executive views expose only what each responsibility requires.
Data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Session cookies are HTTP-only, signed, and short-lived.
Signal creation, assignment, review, and resolution are recorded as an append-only event history visible inside the product.
Every query is scoped to the authenticated organization and user. No cross-tenant reads, ever — enforced at the data layer.
Data stewardship
Because one is. The people who use Nexus are accountable for real members — so the platform treats data access as a clinical act: deliberate, scoped, and recorded.
Every name, date of birth, identifier, code, claim, and record in this environment is synthetic. No PHI is stored, processed, or displayed.
Member 360 ships with one-touch identifier masking so clinicians can review population views in shared or public settings.
Views are scoped to the working task. Longitudinal detail is opened deliberately, logged, and closed — never left ambient on screen.
Operational data is retained per program requirements; review artifacts are preserved for audit defensibility, then archived on schedule.
Responsible AI
Integrity Signals™ never accuse and never auto-deny. When Nexus detects a discrepancy between care delivered and care billed, it assembles the evidence chain, assigns a qualified professional, and holds the claim until a human decides. Every step is logged.
Signal detected
Discrepancy identified; claim automatically held
Professional assigned
Routed to a licensed reviewer with full evidence
Evidence reviewed
Service, note, authorization, and claim compared
Human determination
Reviewer resolves, corrects, or escalates
Audit preserved
Every action recorded in the append-only history
Documentation integrity
Nexus anchors every behavioral health encounter to a structured PIRP note — the same discipline auditors look for. When the note, the code, and the claim agree, care moves. When they disagree, a signal fires before the claim ever leaves the building.
P
Presenting concern, functional impact, and the medical necessity of the session — captured in the clinician's words.
I
The specific clinical techniques delivered, skills modeled, and strengths reinforced during the encounter.
R
How the member engaged and responded, including progress against goals and any risk assessment performed.
P
Next steps, frequency, homework, and coordination — the forward path that ties the note to the care plan.
PIRP: Problem, Intervention, Response, Plan — a documentation standard for behavioral health progress notes.
Security researchers, compliance officers, and program partners can reach the FlexCare team directly. We respond to responsible disclosures and compliance inquiries as a priority.
This environment is a synthetic MVP. All data is fictitious, no PHI is processed, and certification statements labeled "Roadmap" describe planned — not completed — audits.