Trust foundation
HIPAA & Compliance
Last updated July 1, 2026
Clover is being designed with HIPAA-conscious architecture for healthcare practices that need a careful home for provider launch work. This page explains the direction of Clover's compliance approach without claiming certifications or agreements that are not yet complete.
Protected information
Provider launch work may involve sensitive provider information, credentialing documents, identifiers, payer enrollment details, renewal dates, operational notes, and, in some customer contexts, information that may be regulated as protected health information.
Clover is being designed to treat sensitive information with care, limit unnecessary exposure, and keep provider launch information organized inside the correct practice workspace.
Secure storage
Uploaded documents and provider launch evidence are expected to live in access-controlled storage with encryption, restricted production access, and clear association to the relevant Provider Workspace.
Clover should avoid asking providers to upload the same document repeatedly when the practice already has the evidence it needs.
Audit trails
Clover is being built to preserve important activity history so practices can understand when documents were requested, uploaded, reviewed, updated, or used to change payer readiness.
Audit trails support operational clarity and help practices understand what happened during a provider launch.
Least privilege
Access patterns are being designed around least privilege so users and systems only reach the information needed for their role or task.
For example, invited providers should have a focused experience for completing their own launch checklist, while practice administrators should have broader visibility across provider launches.
Future Business Associate Agreements
Clover does not currently claim completed HIPAA certification or finalized Business Associate Agreements. HIPAA does not provide a single universal product certification in the way many people expect.
Where a Business Associate Agreement is required, Clover and the customer must execute one before Clover is used for regulated protected health information in that context. Future BAAs are part of the compliance roadmap before serving customers who require them.
Customer responsibilities
Customers are responsible for determining whether their use of Clover involves protected health information, whether a Business Associate Agreement is required, and whether their own policies permit the information they upload or invite providers to submit.
Clover can help organize provider launch work, but customers remain responsible for their legal, compliance, payer, billing, and workforce obligations.
Compliance roadmap
Clover's compliance roadmap may include formal policies, vendor review, incident response procedures, access reviews, workforce training, risk assessment, Business Associate Agreements, and independent assurance programs as customer needs mature.
Clover will not claim certifications or compliance milestones until they are actually complete.