Security Overview

How we protect your data

At North Peak Care, security is not an afterthought. As a home infusion nursing company handling sensitive healthcare data, we build security into every part of our operations. This page explains in plain language how we protect the information entrusted to us by nurses, pharmacies, and patients.

Infrastructure and Encryption

All North Peak Care systems run on Google Cloud Platform, which maintains SOC 1/2/3, ISO 27001, and HIPAA compliance certifications. This means your data is hosted in the same enterprise-grade infrastructure used by major healthcare organizations.

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security), the same technology used by banks and hospitals
• Encryption at rest: All stored data is encrypted using AES-256, the industry standard for protecting sensitive information
• No public storage: Documents uploaded to our portal are never stored in publicly accessible locations

How We Protect Nurse Data

Nurses who work with North Peak Care share sensitive personal and professional information with us. Here is how we keep it safe:

• Private accounts: Each nurse has their own secure login. You can only see your own information — not other nurses' data
• Credential documents: Licenses, certifications, and other uploaded documents are stored in private, encrypted cloud storage and automatically transferred to a secure file system that is not accessible from the internet
• Tax and financial data: W-9, 1099, and direct deposit information is stored with additional access restrictions, separate from other records. Only authorized administrators can access this data, and only for payroll and tax purposes
• No shared logins: Every administrator has their own account. There are no shared passwords or generic admin accounts

How We Protect Patient Information

Patient privacy is at the core of everything we do. When pharmacies submit patient documents through our portal:

• De-identified storage: Patient documents are stored using visit identification numbers (e.g., NPC-26-0001) rather than patient names. This means even if someone were to see a folder name, they would not know which patient it belongs to
• Automatic security: After documents are uploaded, they are automatically transferred to a private, access-controlled file system and the temporary upload copies are deleted
• No public links: Patient documents are never accessible via shareable links that anyone can open. When documents need to be shared with authorized personnel, access is granted to specific email addresses on a time-limited basis and automatically revoked when it expires
• Access logging: Every time patient information is accessed, it is recorded in an audit log that cannot be modified or deleted

How We Protect Pharmacy Data

Pharmacy partners access our upload portal using unique, randomly generated codes. Here is how we protect the upload process:

• Authenticated uploads: Every upload session requires authentication. Anonymous users cannot upload documents
• File validation: We only accept expected file types (PDF, JPG, PNG) up to 10MB. This prevents malicious files from being uploaded to our systems
• Secure codes: Each pharmacy receives a unique 8-character alphanumeric access code. Codes can be deactivated immediately if compromised
• Upload confirmation: Pharmacy staff receive immediate confirmation when documents are successfully submitted

Access Controls

We follow the principle of least privilege — people only have access to the information they need:

• Role-based access: Our portal distinguishes between nurse accounts and administrator accounts. Each role can only perform actions appropriate to their responsibilities
• Protected fields: Nurses cannot modify sensitive account fields (such as their role or account status) even on their own profile. Only administrators can change these fields
• Immutable audit logs: Access logs cannot be edited or deleted by anyone, including administrators. This ensures a complete, tamper-proof record of all activity

Security Headers and Web Protection

Our web applications implement modern security protections:

• Protection against clickjacking attacks (X-Frame-Options)
• Protection against content type sniffing (X-Content-Type-Options)
• Strict referrer policies to prevent data leakage
• No caching of sensitive pages to prevent data from being stored in browser caches

Continuous Improvement

Security is an ongoing commitment. We regularly review our systems and practices to ensure they meet or exceed industry standards for healthcare data protection. If you discover a security concern, please contact us immediately at scanales@northpeakcare.com.

For details about what information we collect and how we use it, please see our Privacy Policy.

← Back to Home