Security overview
RemoteFrontDesk is built to handle Protected Health Information (PHI) on behalf of medical practices and medspas. Our security program is designed around the HIPAA Security Rule and standard healthcare data protection practices.
This page summarizes the technical and administrative controls we maintain. For our HIPAA-specific commitments, see our HIPAA & BAA page.
Data encryption
In transit
All data transmitted between our staff, our clients' systems, and any RemoteFrontDesk-managed infrastructure is encrypted using TLS 1.2 or higher. Plain HTTP connections to client systems are blocked by policy.
At rest
Our staff do not store PHI on their local devices. All work happens within your client systems (EHR, scheduling tool, billing platform). Where temporary caching is unavoidable, data is held in encrypted system stores and purged on session end.
RemoteFrontDesk-managed infrastructure uses AES-256 encryption at rest for any data that is HIPAA-relevant.
Access controls
- Least privilege by default. Front Desk Pros receive only the access required for the specific workflows you have delegated. A staffer doing scheduling-only work does not receive billing system access.
- Multi-factor authentication required for every client-system login. No exceptions.
- Role-based access provisioning. Access is provisioned through your normal user-management workflow — RemoteFrontDesk does not have administrative access to your EHR.
- Quarterly access reviews. We audit who has access to what, every quarter, and remove access that is no longer needed.
- Automatic revocation on termination. If a staffer leaves RemoteFrontDesk, your designated contact is notified within 24 hours and we coordinate access revocation immediately.
Device and workstation security
Every Front Desk Pro works from a device that meets our security baseline:
- Full-disk encryption (FileVault or BitLocker) enabled
- Operating system updates installed within 14 days of release
- Active anti-malware protection from a reputable vendor
- Screen-lock policy: 5 minutes maximum, password required to resume
- No use of public Wi-Fi for client work without a VPN
- Webcam covers and physical privacy screens required for staff handling sensitive specialty workflows
We can provide attestation that a specific staffer's device meets these requirements before they are assigned to your practice.
Employee security training
All RemoteFrontDesk staff complete security training before placement and quarterly thereafter, covering:
- HIPAA Security Rule fundamentals and PHI handling
- Phishing recognition and incident reporting
- Password hygiene and credential management
- Social engineering awareness (especially relevant for staff handling patient phone calls)
- Physical security in remote work environments
Failed phishing simulations result in mandatory retraining. Repeat failures result in termination.
Audit logging
We log every PHI-relevant action by our staff on your behalf:
- Login and logout events (timestamped, with source IP)
- Record access (patient records viewed, modified)
- Communication actions (calls placed, messages sent on your behalf)
- Administrative actions (access requests, password changes)
Logs are retained for a minimum of 6 years to align with HIPAA documentation requirements. Audit log exports are available to your practice on request — typically delivered within 5 business days.
Incident response
Security incidents are managed by our Security Officer under our written Incident Response Plan. Response begins within one hour of detection.
For details on breach notification procedures, see the Incident response section of our HIPAA page.
How to report a security concern
If you have identified a vulnerability, suspected breach, or other security concern related to RemoteFrontDesk:
Email: security@remotefrontdesk.com
Urgent issues: Mark the subject "URGENT — security incident" and we will respond within 4 hours during business hours, within 12 hours otherwise.
We take all reports seriously. We do not retaliate against good-faith reporters, including independent security researchers.