Security & Privacy

Privacy + Security

FirstCall Telehealth is designed from the ground up to protect workforce health data. We safeguard protected health information, occupational injury records, and employer operational data with administrative, technical, and physical safeguards aligned with HIPAA requirements and industry‑recognized security frameworks. This page describes our security program, privacy practices, and compliance posture for procurement, IT security, and privacy stakeholders evaluating our platform.

Dashboard
HIPAA-Ready Safeguards
Role-Based Access Control
Encryption In‑Transit & At‑Rest
Audit Logging
Vendor Controls & BAAs

01

What We Protect

Our platform handles sensitive data across three categories — each governed by distinct access controls and retention policies.

Protected Health Information (PHI) & PII

Clinical encounter records, diagnoses, treatment plans, prescriptions, and individually identifiable health information generated during virtual triage, bridge treatment, exposure management, and return‑to‑duty evaluations. Access is restricted to authorized clinical personnel and the individual worker where applicable.

Occupational Injury & Exposure Data

Injury reports, exposure incident records, triage tier classifications, work‑status determinations, and OSHA‑related documentation. This data includes mechanism‑of‑injury details and escalation records that support defensible clinical decision‑making and regulatory compliance.

Employer Operational Data

Aggregate case volumes, ER diversion rates, cost‑displacement analytics, and workforce injury trends visible through the employer portal. Access is role‑based — command staff, HR, safety officers, and risk managers see operational summaries without exposure to individual‑level clinical records.

02

Security Program

We maintain administrative, technical, and physical safeguards designed to protect workforce health data throughout its lifecycle.

All platform access is governed by role‑based access control (RBAC). User roles — clinician, employer administrator, safety officer, worker — are assigned based on organizational function and enforce the principle of least privilege. Each role grants access only to the data and functions required for that user's responsibilities. Multi‑factor authentication (MFA) is available for all user accounts and can be required at the organizational level. Administrative access to production systems requires MFA and is restricted to authorized personnel with documented justification. Access reviews are conducted on a regular cadence.

All data transmitted between client applications and our platform is encrypted in transit using TLS 1.2 or higher. Data at rest — including clinical records, injury reports, and personally identifiable information — is encrypted using AES‑256 or equivalent standards provided by our cloud infrastructure. Encryption key management follows documented procedures with appropriate separation of duties. Encryption configurations are reviewed as part of our periodic security assessments.

The platform maintains audit logs that capture user authentication events, data access, record modifications, permission changes, and administrative actions. Logs include timestamps, user identifiers, and action descriptions sufficient to support compliance investigations and access audits. Logs are stored in a tamper‑resistant format and retained in accordance with applicable regulatory requirements. Automated monitoring is in place to detect and alert on anomalous access patterns and potential security events.

Our software development lifecycle (SDLC) incorporates security at each stage. Code reviews, static analysis, and dependency scanning are integrated into the development pipeline. Changes to production systems follow documented change management procedures with appropriate approval workflows. Vulnerability management includes regular scanning of application and infrastructure components. Identified vulnerabilities are triaged by severity and remediated within defined timelines. We maintain a responsible disclosure process for externally reported security concerns.

We maintain a documented incident response plan that defines roles, escalation procedures, containment strategies, and communication protocols for security events. The plan is reviewed and tested on a periodic basis. In the event of a confirmed breach involving protected health information, notification will be provided to affected organizations and individuals in accordance with HIPAA breach notification requirements and applicable state laws. Notification timelines and content will meet or exceed regulatory minimums. A designated security contact is available for incident coordination at security@firstcalltelehealth.co.

03

Privacy Practices

We collect only the data necessary to deliver clinical services, comply with legal obligations, and support organizational reporting — and we limit how that data is used and disclosed.

Data Minimization

Data Minimization & Purpose Limitation

We collect the minimum data necessary to conduct clinical encounters, generate documentation, and support employer reporting. Clinical data is used for treatment, payment, and health care operations as defined under HIPAA. Employer‑facing analytics are derived from aggregate and de‑identified data wherever possible. We do not sell workforce health data. We do not use clinical encounter data for marketing purposes.

Individual Rights

Individual Rights

Where applicable under HIPAA and state law, individuals may request access to their health records, request corrections to inaccurate information, and request an accounting of disclosures. Requests can be directed to our privacy contact at security@firstcalltelehealth.co. We respond to requests within the timeframes required by applicable law.

Information Shared

When Information Is Shared

Information may be disclosed to: treating providers involved in the worker's care; the employer to the extent permitted by HIPAA and workers' compensation law (e.g., work‑status determinations, fitness‑for‑duty clearances); subcontractors and vendors operating under executed Business Associate Agreements (BAAs); and as required by law, including OSHA reporting obligations and legal process. Employer portal access is structured so that command staff, HR, and safety officers receive operational information without access to full clinical records.

Injured Worker

Injured Worker Sensitivity

We recognize that occupational injury data exists in a context where workers may be concerned about employment consequences. Our access controls are specifically designed to ensure that employers receive only the operational information necessary for return‑to‑work planning, scheduling, and regulatory compliance — not detailed clinical records. This separation is enforced at the platform level, not by policy alone.

04

Compliance & Standards

Our security and privacy program is designed to align with recognized healthcare and information security frameworks.

HIPAA

Health Insurance Portability and Accountability Act

FirstCall maintains administrative, technical, and physical safeguards designed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. When acting as a covered entity or business associate, we implement safeguards appropriate to the nature of the protected health information we create, receive, maintain, or transmit. Business Associate Agreements are executed with all applicable partners.

NIST-Aligned

Security Controls Framework

Our security controls are designed to align with NIST SP 800-53 and NIST Cybersecurity Framework principles. This alignment informs our approach to access management, incident response, continuous monitoring, and risk assessment. We use these frameworks as operational guides — not as a claimed certification.

Agreements

BAAs & DPAs Available

Business Associate Agreements (BAAs) and Data Processing Addenda (DPAs) are available upon request and are executed as part of every enterprise engagement. These agreements define data handling obligations, permitted uses, breach notification commitments, and subcontractor requirements.

Assessments

Risk Assessments & Audits

We conduct periodic risk assessments to identify, evaluate, and address threats to the confidentiality, integrity, and availability of protected information. Assessment scope covers administrative processes, technical controls, and physical safeguards. Assessment methodology and findings summaries are available to enterprise clients upon request under appropriate confidentiality terms.

05

Data Hosting & Retention

Data is securely hosted using reliable cloud infrastructure to ensure safety, privacy, and continuous availability.

Secure Cloud Hosting

Production data is hosted on enterprise‑grade cloud infrastructure with physical security controls, network segmentation, and redundancy. Hosting environments are located within the United States. Infrastructure providers maintain their own compliance programs (details available upon request).

Backups & Recovery

Data is backed up on a regular schedule with encrypted backup storage. Recovery procedures are documented and tested periodically. Backup retention periods are configured to support both operational recovery and regulatory requirements.

Retention Periods

Data retention periods vary by data type, contractual agreement, and applicable legal requirements (including state‑specific workers' compensation record‑keeping laws and OSHA retention requirements). Specific retention schedules are documented in enterprise agreements. Data destruction follows documented procedures upon expiration of retention obligations.

06

Vendor Management

Third‑party vendors and subprocessors that access, store, or process protected information on our behalf are subject to security and privacy due diligence prior to engagement.

Security Package Available

BAA template, Data Processing Addendum, security program overview, architecture summary, and subprocessor list are available upon request. Contact security@firstcalltelehealth.co or use the request form below.

Vendors are evaluated on their security posture, compliance certifications, data handling practices, and incident response capabilities. We maintain a current list of subprocessors, which is available to enterprise clients upon request. All vendor personnel with access to our systems or data are bound by confidentiality obligations. Access is granted on a least‑privilege basis and revoked upon termination of the vendor relationship.

Vendor relationships are reviewed periodically and re‑evaluated when material changes occur. All subprocessors handling PHI operate under executed Business Associate Agreements that define permitted uses, security requirements, and breach notification obligations.

07

Frequently Asked Questions

Common questions from procurement, IT security, and privacy teams evaluating FirstCall for their organization.

Yes. We execute Business Associate Agreements with all enterprise clients as a standard part of our engagement process. A BAA template is included in our security package and can be provided during the evaluation phase. We also support mutual BAAs where the client organization acts as a covered entity.

Production data is stored on enterprise‑grade cloud infrastructure located within the United States. Specific hosting provider details and data residency information are available in our security package upon request. We do not store production data outside the United States without explicit contractual agreement.

Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES‑256 or equivalent encryption provided by our cloud infrastructure. Encryption extends to databases, file storage, and backups. Key management follows documented procedures with appropriate access controls.

Employers access the platform through the employer portal, which provides operational information: case status, work‑status determinations (full duty, modified duty, off duty), return‑to‑duty dates, and aggregate analytics. Full clinical records — including diagnoses, treatment plans, and examination findings — are not accessible through the employer portal. This separation is enforced by role‑based access controls at the platform level.

We maintain a documented incident response plan with defined roles, escalation procedures, and communication protocols. In the event of a confirmed breach involving protected health information, we notify affected organizations and individuals in accordance with HIPAA breach notification requirements and applicable state laws. Our security team can be reached at security@firstcalltelehealth.co for incident coordination.

The employer portal includes access to audit logs relevant to the organization's use of the platform — including user login events, case access records, and data export activity. More detailed audit log access and custom reporting may be available under enterprise agreements. Log format and retention details are included in the security package.

SSO integration is available for enterprise accounts and can be configured to work with your organization's identity provider. Specific SSO protocol support and configuration requirements are documented in our integration guide, available as part of the security package. Contact our team to discuss your organization's identity management requirements.

Retention periods vary by data type, contractual terms, and applicable law — including state‑specific workers' compensation record‑keeping requirements and OSHA retention obligations. Specific retention schedules are documented in enterprise agreements. Upon expiration of retention obligations, data is destroyed following documented procedures. We do not retain data beyond what is legally and contractually required.