Security & Compliance

Built for regulated environments

Radiology data is among the most sensitive PHI in healthcare. Pacslens is designed with HIPAA administrative, physical, and technical safeguards in mind at every layer of the system.

Honest framing

Pacslens is an angel-backed company. We do not claim certifications we have not completed, compliance status we have not independently verified, or clearance we have not obtained. What follows is an accurate description of the safeguards we have designed into the system and the regulatory status of our submissions.

HIPAA safeguard design

Three categories of HIPAA safeguards — Technical, Administrative, and Physical — each addressed by design decisions in the Pacslens architecture.

Technical Safeguards

  • DICOM TLS 1.2/1.3 for all data transport — no unencrypted DICOM
  • AES-256 encryption at rest for all PHI-containing storage volumes
  • Role-based access control (RBAC) — least-privilege per user and service
  • Audit logging per 45 CFR §164.312(b) — access, modification, deletion records
  • Automatic session timeout for inactive administrative sessions
  • Signed container images for inference stack updates — tamper detection

Administrative Safeguards

  • Business Associate Agreement (BAA) available for all covered entities
  • Workforce security policy — access granted only with documented need
  • Security incident response procedures documented and tested
  • HIPAA risk analysis documentation provided to hospital partners
  • Workforce training on PHI handling and security procedures
  • Contingency plan including backup procedures and disaster recovery

Physical Safeguards

  • On-premise deployment option — all data stays within hospital network
  • Cloud VPC: single-tenant, isolated environment — no multi-tenant PHI sharing
  • AWS HIPAA-eligible services used where cloud deployment applies
  • GCP Healthcare API and HIPAA BAA available for Google Cloud deployments
  • No PHI traverses the public internet — all transport is within TLS tunnels
PHI Handling

Minimum necessary PHI

Pacslens is designed to process the minimum PHI required for triage scoring. Patient demographics required for clinical care are not required for AI triage — and we don't collect them.

What Pacslens processes

  • DICOM accession number and study UID
  • Modality (CT, MRI, XR)
  • Study date and series description
  • Pixel data — required for inference

Not required for triage scoring

  • Patient name or date of birth
  • Medical record number (MRN)
  • Social Security Number
  • Insurance or billing information

De-identification option

For hospitals that want Pacslens to contribute to model improvement, a de-identification pipeline is available. Before any pixel data or metadata is retained for re-training purposes, the following process applies:

  • 01 DICOM header de-identification per NEMA PS3.15 Attribute Confidentiality Profile
  • 02 Patient name, DOB, MRN, and 18 HIPAA Safe Harbor identifiers removed
  • 03 Data use agreement signed before any retention

This option is entirely opt-in. Default deployment performs inference and discards all pixel data after scoring — nothing retained.

Regulatory status

Accurate, current regulatory positions. Updated whenever status changes.

FDA Device Status

510(k) Submission in Progress

Pacslens is preparing 510(k) premarket notification submissions for selected indications under FDA Class II medical device regulations (21 CFR Part 892). Predicate devices include cleared radiology AI tools from multiple vendors (FDA 510(k) database numbers available on request).

Until 510(k) clearance is obtained, Pacslens is available for evaluation and pilot deployment in non-diagnostic-primary-read contexts only.

HIPAA Design

Designed with HIPAA Safeguards in Mind

Pacslens is designed with HIPAA administrative, physical, and technical safeguards per 45 CFR Part 164 in mind. We are not independently "HIPAA certified" — no such government certification exists. We sign Business Associate Agreements with all covered entity hospital partners.

BAA available for all qualifying covered entity and business associate relationships.

HITRUST CSF

Designed for HITRUST CSF Controls

The Pacslens security program is designed with HITRUST CSF control objectives in mind. We have not completed a HITRUST Certified assessment at this stage. Angel-funded companies typically pursue formal certification after reaching scale and as part of enterprise procurement requirements.

HITRUST Certified assessment is on the roadmap for 2026–2027.

Penetration Testing

Annual External Pen Test

Pacslens undergoes annual penetration testing by a third-party security firm. Testing covers the DICOM gateway, inference API, web-facing services, and cloud VPC configuration. Results are available under NDA to qualified hospital security teams evaluating deployment.

Pen test summary available to hospital IT security teams on request, under NDA.

FDA 510(k) Submission in Progress

HIPAA Safeguards Designed In

DICOM TLS 1.2/1.3 Transport

BAA Available for Covered Entities

Annual External Pen Test

Questions about deployment security?

We provide a security questionnaire response and BAA to qualified hospital partners. Our team responds to vendor security assessments within 5 business days.

Request Security Documentation