Security & Compliance
Patient data protection is built into every layer of ODpal — from encrypted messaging to HIPAA-compliant infrastructure and role-based practice controls.
Built on secure infrastructure
ODpal is hosted on enterprise-grade cloud infrastructure with security controls designed to protect patient information at every layer — storage, transit, and access.
- End-to-end encryption for all data in transit
- Encryption at rest for all stored patient data
- Secure cloud infrastructure with continuous monitoring
- Regular security assessments and vulnerability testing
- Strict access control policies enforced at the infrastructure level
Encrypted End to End
Every message, form, and patient record transmitted through ODpal is protected by industry-standard encryption — in transit and at rest.
HIPAA-compliant by design
ODpal is built to support HIPAA-compliant communication for healthcare providers. Optometry practices can communicate with patients through ODpal with confidence that protected health information is handled appropriately.
Business Associate Agreement
ODpal provides a Business Associate Agreement (BAA) to covered entities. The BAA formalizes our responsibilities for protecting PHI in accordance with HIPAA requirements.
HIPAA-Compliant Messaging
All patient communication through ODpal — SMS, email, and in-app messaging — is handled through HIPAA-compliant channels with appropriate safeguards for protected health information.
Audit Trails
ODpal maintains detailed audit logs of system access and communication activity. Practices have access to records that support HIPAA audit and documentation requirements.
Patient-First Data Practices
ODpal collects only the data necessary to deliver the platform's features. Patient information is never sold or shared with third parties for advertising purposes.
Minimal data collection. Maximum protection.
ODpal is designed around the principle that patient data should be used to deliver care — not monetized. Practices retain ownership of their patient data at all times.
- Patient data is owned by the practice, not ODpal
- Data collected is limited to what is needed for platform functionality
- No patient data is sold or shared with third-party advertisers
- Patient consent is managed through appropriate communication opt-in flows
- Data export available to practices upon request
Secure channels across every touchpoint
Whether patients are communicating via the mobile app, SMS, or email, every channel in ODpal is designed with security and patient privacy in mind.
In-App Secure Messaging
Messages sent through the ODpal patient mobile app are transmitted through encrypted, HIPAA-compliant channels — providing a more secure alternative to standard SMS for sensitive clinical communications.
- Encrypted message delivery
- Patient-authenticated sessions
- Message history linked to patient record
- No third-party message storage
SMS & Email Safeguards
ODpal applies appropriate safeguards to SMS and email communication — including limiting PHI exposure in message content and directing patients to secure channels for sensitive information.
- PHI-aware message templates
- Secure links for sensitive content
- Opt-in and opt-out compliance
- Communication audit logging
Your practice stays in control
ODpal gives practice administrators the tools to manage who can access patient communication, what they can see, and how the platform is used — keeping control where it belongs.
- Role-based access control for all staff accounts
- Admin controls for permission levels and feature access
- Activity logs showing which team members accessed records
- Practice retains full ownership and portability of its data
- Easy account management and staff provisioning
Role-Based Access
Assign appropriate access levels to each staff member — from front desk to doctor — ensuring each team member sees only what they need to do their job.
Questions about security or compliance?
Book a demo and we'll walk through how ODpal handles data security and HIPAA compliance for your practice.