hero image
left arrow icon IT & PRIVACY right arrow icon

IT + Security

FirstCall Telehealth is designed from the ground up to protect workforce health data. We safeguard protected health information, occupational injury records, and employer operational data with administrative, technical, and physical safeguards aligned with HIPAA requirements and industry-recognized security frameworks. This page describes our security program, privacy practices, and compliance posture for procurement, IT security, and privacy stakeholders evaluating our platform.

HIPAA-Ready Safeguards
Role-Based Access Control
Encryption In-Transit & At-Rest
Audit Logging
HIPAA-Ready Safeguards
Role-Based Access Control
Encryption In-Transit & At-Rest
Audit Logging
FirstCall logo icon

Role-Based Access

Granular permission controls for employees, supervisors, HR, and command staff.

Data Protection

End-to-end encryption ensuring your data is safe across all platforms.

Audit Logging

Real-time tracking and logging of all administrative actions.

Key Management

Securely manage and rotate encryption keys with full audit trail.

Secure Cloud Infrastructure

Hosted on HIPAA-eligible cloud infrastructure with 99.9% uptime SLA and geo-redundant backup.

left arrow Common Questions right arrow

Questions we hear most often

Yes. We execute Business Associate Agreements with all enterprise clients as a standard part of our engagement process. A BAA template is included in our security package and can be provided during the evaluation phase. We also support mutual BAAs where the client organization acts as a covered entity.

Production data is stored on enterprise‑grade cloud infrastructure located within the United States. Specific hosting provider details and data residency information are available in our security package upon request. We do not store production data outside the United States without explicit contractual agreement.

Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES‑256 or equivalent encryption provided by our cloud infrastructure. Encryption extends to databases, file storage, and backups. Key management follows documented procedures with appropriate access controls.

Employers access the platform through the employer portal, which provides operational information: case status, work‑status determinations (full duty, modified duty, off duty), return‑to‑duty dates, and aggregate analytics. Full clinical records — including diagnoses, treatment plans, and examination findings — are not accessible through the employer portal. This separation is enforced by role‑based access controls at the platform level.

We maintain a documented incident response plan with defined roles, escalation procedures, and communication protocols. In the event of a confirmed breach involving protected health information, we notify affected organizations and individuals in accordance with HIPAA breach notification requirements and applicable state laws. Our security team can be reached at security@firstcalltelehealth.co for incident coordination.

The employer portal includes access to audit logs relevant to the organization's use of the platform — including user login events, case access records, and data export activity. More detailed audit log access and custom reporting may be available under enterprise agreements. Log format and retention details are included in the security package.

SSO integration is available for enterprise accounts and can be configured to work with your organization's identity provider. Specific SSO protocol support and configuration requirements are documented in our integration guide, available as part of the security package. Contact our team to discuss your organization's identity management requirements.

Retention periods vary by data type, contractual terms, and applicable law — including state‑specific workers' compensation record‑keeping requirements and OSHA retention obligations. Specific retention schedules are documented in enterprise agreements. Upon expiration of retention obligations, data is destroyed following documented procedures. We do not retain data beyond what is legally and contractually required.

Let’s Work Together

Visit our SMS Privacy Policy and Terms and Conditions for more details.

Submit
Team
Team
Team
Team
Team