Built around research integrity and participant protection.
BeaconCR handles patient information, physician submissions, and study records with encryption, access controls, audit logs, consent versioning, and breach-response planning. Here is exactly what is in place today and what is on the roadmap.
Encryption in transit
All HTTPS endpoints use TLS 1.2+ with modern cipher suites. Internal service-to-service traffic uses encrypted tunnels.
Encryption at rest
Patient intake records, physician submissions, and study artifacts are stored with AES-256-GCM at the file level when BEACON_ENCRYPT_AT_REST is enabled. Disk volumes are encrypted at the host layer.
Access controls
Role-based permissions distinguish patients, physicians, sponsors, study coordinators, and BeaconCR administrators. Multi-factor authentication is supported for elevated roles.
Audit logs
Every record creation, edit, view, export, and access change is timestamped with actor identity and retained for review. Audit trails travel with the record.
Consent versioning
Consent forms are versioned. Each participant’s consent record points to the exact text and date they accepted. Amendments preserve history without overwriting.
Data export controls
Bulk export operations require elevated permissions, are logged, and can be revoked. Patient-level exports include re-identification risk warnings.
Role-based permissions
Eight distinct roles (SponsorAdmin, SiteInvestigator, StudyCoordinator, Patient, Physician, Reviewer, Auditor, BeaconCR-Admin) with least-privilege defaults.
Breach response planning
Incident response runbook with role assignments, notification timelines, forensic data collection, regulator-notification templates, and post-mortem requirements.
BAA availability or roadmap
Business Associate Agreements available on request for relationships where BeaconCR processes PHI on behalf of a covered entity. Standard BAA template covers HIPAA Privacy + Security Rule obligations.
HIPAA-aware architecture
BeaconCR is built with HIPAA-aware data handling: minimum-necessary access, de-identification options for registry-data exports, secure messaging for PHI-bearing communications.
Data retention & minimization
Records are kept only as long as the study, regulatory obligation, or participant consent requires. Retention schedules are defined per data category, and data minimization is the default — we collect what the workflow needs, not more.
Privacy documentation
Plain-language privacy practices, participant data rights, breach-notification commitments, and the current security posture are documented and published — so patients, physicians, and sponsors can see exactly how information is handled.
Clear current compliance posture
BeaconCR describes itself as HIPAA-aware and HIPAA-aligned. Formal HIPAA certification is a roadmap item, not a current claim. We are transparent about what is in place today and what is in progress.
What “HIPAA-aware” means here
We use the phrase HIPAA-aware and HIPAA-aligned deliberately. It means BeaconCR's data handling practices are built around HIPAA Privacy Rule and Security Rule expectations — minimum-necessary access, role-based permissions, audit logging, secure messaging, encryption at rest and in transit, and Business Associate Agreement availability.
It does not mean BeaconCR has been formally certified as HIPAA compliant by an independent auditor. Formal certification is a roadmap item. We will update this page when that audit is complete.
If you are a covered entity considering BeaconCR for PHI processing on your behalf, request a current Business Associate Agreement at /contact. We will share what is in place today and what is being added.
What we will not do
- × Sell patient information to advertisers or data brokers.
- × Use patient information for any purpose other than the study a participant consented to.
- × Share PHI with third parties without a current BAA or explicit participant authorization.
- × Claim HIPAA certification we do not have.
- × Claim a study has IRB approval when it does not.
- × Hide breach notifications from affected participants, sponsors, or regulators.
Questions about how your information is handled?
Reach the BeaconCR Patient Support Team at patients@beaconcr.com, or use the contact form.
Contact BeaconCR