Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Operations · Record Management

Compliance documents that don't get lost in the shared drive.

Validated file handling, per-office storage tracking, immutable version history. The compliance record stays where compliance can find it.

Start 14-day free trialOr book a demo
Included in Core·Starting at $39/mo
Patient Protect — Record Management
Patient Protect Record Management showing organized compliance documents with version history, validated file types, and per-office storage allocation tracking

HIPAA mapping

What this satisfies in the Security Rule.

4 citations, each with the specific Record Management behavior that satisfies it. The mapping is the receipt — what you can show an auditor without assembling anything new.

§164.310(d)

Device and media controls

Implements policies for receipt, removal, and disposal of hardware and electronic media. Validated file handling extends the control to the document layer.

§164.312(c)(1)

Integrity

Implements policies to protect ePHI from improper alteration or destruction. Version immutability and audit logging satisfy this directly for documents containing ePHI.

§164.316(b)(1)

Documentation standards

Policies and procedures must be documented. The repository is purpose-built for the documentation requirement.

§164.316(b)(2)

Time limit

Six-year retention. Architectural retention with no manual cleanup needed.

What it does

The compliance record where compliance can find it.

Most independent practices keep compliance documents in a shared drive. Some have a binder. Some have both. The shared drive is chaos by month six — current versions, draft versions, “final_v3_FINAL” versions, the ones the auditor signed off, the ones that were superseded but never deleted. Finding the correct policy at the correct version becomes a small project.

Record Management is the alternative. Compliance documents live in a structured, versioned, validated repository inside the platform. Every upload is type-checked, virus-scanned, and recorded with full metadata. Every version supersedes cleanly. Every access is audited. The folder of confusion turns into a record that auditors find easy to read.

Storage is tracked per office. The platform shows where you are relative to your plan's storage allocation, what's contributing to consumption, and which documents are largest. Storage limits are generous — most independent practices use a small fraction of their allocation — but visibility prevents surprises.

How it works

6 mechanisms keep Record Management working.

01

Type-validated uploads.

The platform accepts standard document formats — PDF, DOCX, XLSX, image formats for diagrams, CSV for data exports. Executable files and other formats outside the document set are rejected at upload. The validation runs server-side; client manipulation cannot bypass it.

02

Virus and malware scanning.

Every upload runs through a scanning step. Malicious content is quarantined; uploads are rejected with an explanation. Useful when uploading vendor-supplied documents that may have been exposed to malware in transit.

03

Immutable version history.

Document versions are append-only. A new upload of the same document creates a new version; the old version is preserved. Versions cannot be deleted by workforce; the platform's six-year retention enforces architecturally.

04

Per-office storage tracking.

The dashboard shows storage consumption against allocation. Largest documents, recently-uploaded documents, document type breakdown. Useful for storage hygiene without making it a priority issue (the allocation is generous for typical practice volumes).

05

Document audit trail.

Every document has its own audit log: uploads, version updates, access events, downloads, exports. The audit is queryable — “who accessed this document in the last 90 days?” returns the list immediately.

06

Cross-module integration.

Documents are not a siloed feature. Policies in the Policies module use Record Management. BAA uploads in Workforce use Record Management. Training certificate exports from Workforce Training use Record Management. The repository is the document substrate the platform shares.

Who this is for

Built for the practices that need it most.

Practices using shared drives for compliance.

Migration is straightforward — upload existing documents in batches, the platform validates and versions them. After a weekend's work, the shared-drive chaos is replaced with a structured record that supports the rest of the platform.

Practices managing multiple document types.

P&P documents, BAAs, training records, SRA reports, audit responses, breach documentation. Practices accumulate substantial compliance document inventory. Keeping it all in one structured place pays off when any of it needs to be found.

Practices preparing for audit.

When OCR or an auditor requests specific documents, response time is the difference between calm and crisis. Record Management indexes everything; “show me our most recent SRA” or “show me the BAA with vendor X as of 2024” are one-click queries.

Practices with consultants.

Consultants typically need access to your compliance documents. Record Management's role-scoped sharing lets consultants see exactly what they need without inheriting access to documents outside their scope.

Connected to

No module is an island.

Record Managementworks because it's connected. Every signal feeds another module; every closure becomes evidence somewhere else.

Operations layer

Workforce Training

Training certificates and completion records use Record Management for storage.

Learn more

Defense layer

ePHI Audit Logs

Document access events feed the audit log.

Learn more

Intelligence layer

Audit Replay Timeline

Document version history feeds the timeline; replay shows which version was current at any past moment.

Learn more

What you get

6outcomes you'll feel in week one.

No shared-drive chaos.

Structured, indexed, queryable document repository.

Immutable versions.

History preserved; current version unambiguous.

Validated handling.

Type checking and malware scanning on every upload.

Document-level audit.

Who, what, when on every interaction.

Per-office storage tracking.

Visibility without surprises.

§164.316(b) handled.

Six-year retention by architecture.

FAQ

What people ask first.

6 questions cover most first-time evaluations. See all FAQs →

What file types are accepted?
PDF, DOCX, XLSX, common image formats (PNG, JPG), CSV, and a few sector-specific formats. Executable files, scripts, and other formats outside the standard document set are rejected.
How much storage do I get?
Allocations are generous for typical practice volumes. Core plans include several gigabytes; Pro plans include more. Most independent practices use a fraction of their allocation. If you're approaching the limit, the dashboard surfaces it.
Can I delete documents?
Documents in active compliance contexts (current policies, adopted BAAs, current training records) cannot be deleted — the retention requirement prevents it. Documents in non-compliance contexts (drafts, working notes, superseded internal documents) can be deleted with audit logging.
What about version comparison?
The platform supports inline version comparison for text-based documents. For PDFs and binary formats, side-by-side viewing is available; programmatic diffing is not.
Are documents encrypted?
Yes. AES-256-GCM encryption at rest. TLS 1.3 in transit. Documents are encrypted under per-office keys; cross-office access is architecturally impossible.
Can I bulk-upload?
Yes. The platform supports bulk upload for migration scenarios — ZIP archives are extracted, files are individually validated, and metadata is captured per file.

Continue exploring

Related features in the platform.

Operations

Workforce Training

HIPAA training inside the platform — assigned by role, completed by deadline, evidence generated by default. The first documentation auditors ask for, ready when they ask.

Learn more

Defense

ePHI Audit Logs

Immutable per-session, per-tab audit trail. OCR-ready by default. No assembly required when the auditor calls.

Learn more

Intelligence

Audit Replay Timeline

Reconstruct what happened, when, in what order, by whom. Every incident investigation, audit response, and forensic exercise — answered from timestamped evidence.

Learn more

Next step

The compliance record where compliance can find it.

Most practices migrate from shared drives to structured records inside a weekend. The platform takes over forward.

Start 14-day free trial →or book a demo

No contracts. No consultants. Starting at $39/mo.