Security & HIPAA
Fluent is built for language services workflows that may involve PHI—without turning scheduling into a compliance obstacle course.
We provide encryption, access controls, audit logs, and workspace settings that support HIPAA-regulated operations. BAAs available when applicable.
Your data, protected by design
Language services often involve sensitive information—appointment details, patient names, and scheduling context that shouldn't be floating around in emails and text threads. Fluent keeps that data in one secure place.
- Keep sensitive details inside the secure app (not scattered across texts and email threads)
- Control who can view, export, or change records
- Maintain an activity trail for accountability and audits
HIPAA-ready features
Below is how Fluent supports key technical safeguard categories. Your policies and implementation still matter—HIPAA is a shared responsibility.
| Feature | How Fluent supports it |
|---|---|
| Access Control | |
| Role-based access control (RBAC) | Assign users to roles with least-privilege permissions based on job function |
| Team and agency segmentation | Organize users into teams with scoped access to specific customers, interpreters, or appointment types |
| User provisioning and deprovisioning | Add users when they join; remove or deactivate them promptly when they leave |
| Unique user identification | Every user has a unique account—no shared accounts |
| Automatic session timeout | Sessions expire after a configurable period of inactivity |
| Audit Controls | |
| Comprehensive audit logs | All user actions—logins, record access, exports, edits, and deletions—are logged with timestamps and user IDs |
| Log retention | Audit logs are retained for long-term traceability (retention periods may be configurable or specified in your agreement) |
| Log export | Administrators can export audit logs for compliance reviews or incident investigations |
| Tamper-evident audit history | Logs are stored in append-only storage to prevent unauthorized modification |
| Integrity Controls | |
| Input validation | All data submitted to Fluent is validated before storage to prevent corruption or injection attacks |
| Record history and versioning | Edits to appointments and records are versioned—previous values are retained for audit purposes |
| Integrity verification | Stored data is verified against checksums to detect unauthorized changes |
| Person/Entity Authentication | |
| Password policy support | Passwords must meet minimum length and complexity requirements |
| Multi-factor authentication (MFA) | Require a second factor for all users or specific roles |
| Single sign-on (SSO) | Available for organizations using a centralized identity provider |
| Session management | Active sessions are tracked, and users can view and revoke sessions from other devices |
| Transmission Security | |
| TLS encryption in transit | All data transmitted between your browser/app and Fluent servers is encrypted using TLS 1.2 or higher |
| Encryption at rest | All data stored in Fluent is encrypted using AES-256 |
| Authenticated APIs | All API endpoints require authentication and use HTTPS exclusively |
| Notification controls | Configure notifications to direct users into the app for details—keep PHI out of SMS and email bodies |
BAAs & shared responsibility
Business Associate Agreements (BAAs)
If your organization uses Fluent in workflows that may involve PHI, we can execute a Business Associate Agreement (BAA) when applicable.
If there's any conflict between this page and the terms of your executed BAA, the BAA controls.
Shared responsibility
Fluent provides HIPAA-ready controls—encryption, access controls, and audit logs—to support HIPAA-regulated operations. Your organization remains responsible for operational policies such as workforce training, device security, and determining what staff includes in notes or attachments.
Security operations
Fluent maintains security practices designed to protect your data and respond quickly to potential threats.
- 24/7 monitoring and alerting: Infrastructure and application events are continuously monitored with automated alerts for anomalies
- Vulnerability management: Regular vulnerability scanning and timely patching of identified issues
- Backup and recovery: Automated backups and disaster recovery processes to protect against data loss
- Incident response: Defined incident response procedures with documented response targets for security events
- Penetration testing: Regular penetration testing to identify and address potential vulnerabilities
This section reflects our current security practices, which we continuously evaluate and improve.
Subprocessors
We use vetted infrastructure and service providers to operate Fluent. These subprocessors are selected based on their security practices and compliance posture. A current subprocessor list is available upon request.
Security & HIPAA questions
Common questions about our security practices and HIPAA-ready features.
Yes—Business Associate Agreements are available for customers using Fluent in workflows that may involve PHI. Contact us to request a BAA.
HIPAA compliance depends on how covered entities and business associates implement policies and workflows. Fluent provides HIPAA-ready features and can be configured to support HIPAA-regulated use cases. We sign BAAs and provide the technical safeguards—but compliance is a shared responsibility that includes your organization's policies and practices.
MFA is supported and can be required for all users via workspace security controls. SSO is available for organizations using a centralized identity provider.
We recommend keeping PHI out of notification bodies. Fluent can be configured to send minimal alerts that direct users into the secure app for full details, rather than including sensitive information in the notification itself.
See our HIPAA readiness guide for step-by-step instructions on setting up your workspace for HIPAA-regulated workflows.