Security

Security safeguards for direct healthcare relationships.

Directly is designed around authenticated access, role-based permissions, audit visibility, and healthcare-aware infrastructure practices. This page summarizes the current posture in plain language.

Last updated: May 8, 2026

Access control

Directly uses role-based access patterns for patient, physician, and owner workflows so sensitive areas are limited to authorized users.

Authentication

The platform supports authenticated patient and physician sessions, secure password handling, refresh-token flows, and account recovery workflows.

Audit visibility

Backend systems include audit logging and operational monitoring intended to support investigation, accountability, and security review.

Infrastructure safeguards

Production architecture uses private database and Redis networking, TLS termination, firewall rules, Fail2Ban, containerized services, and deployment controls.

What is already represented in the platform

  • JWT-backed authentication and refresh-token flows.
  • Role-aware patient, physician, and owner dashboards.
  • Audit logging and security monitoring hooks in the backend.
  • Private Postgres and Redis networking in production compose configuration.
  • Security headers, TLS termination, firewall rules, and operational runbooks.

Known maturity work

Directly is still hardening parts of the compliance and operational program. The most important remaining areas are immutable audit archival, verified retention procedures, legal hold processes, and continued production access hardening.

For HIPAA-specific context, review the HIPAA page. This security page is informational and does not replace contractual commitments, legal advice, or a formal security assessment.

Common Questions

Is Directly HIPAA compliant?

Directly is building HIPAA-aligned safeguards and publishes a plain-language HIPAA page. Formal program readiness, vendor review, and archival controls continue to mature.

How does Directly protect patient data?

Directly uses authenticated access, role-based permissions, audit logging, encrypted transport, infrastructure hardening, and operational monitoring as part of its security approach.

Where can security or privacy questions be sent?

Security and privacy questions can be sent to directlyhealthcare@gmail.com while dedicated operational contacts mature.