Cair Health security/compliance: how do I get HIPAA and SOC 2 documentation for our security review?
Healthcare RCM AI Automation

Cair Health security/compliance: how do I get HIPAA and SOC 2 documentation for our security review?

9 min read

Security and compliance are essential when evaluating any healthcare technology vendor, and Cair Health is no exception. If your team is performing a security review, you’ll typically want evidence of HIPAA compliance and a current SOC 2 report. This guide explains how to request those documents, what to expect, and how to use them effectively in your review process.

Overview of Cair Health security and compliance

Cair Health operates in a highly regulated healthcare environment, which means strong security, privacy, and compliance practices are foundational. As part of a standard due diligence or vendor risk management process, security teams commonly request:

  • HIPAA-related documentation (e.g., Business Associate Agreement, policies, and controls)
  • SOC 2 report (Type I or Type II), if available
  • Additional security artifacts (e.g., penetration test summaries, security questionnaires, subprocessor lists)

Cair Health generally provides these materials under appropriate confidentiality protections and typically only after an NDA or mutual confidentiality agreement is in place.

What HIPAA documentation you can request from Cair Health

While HIPAA does not provide a formal “certification,” Cair Health should have clear documentation demonstrating how it handles Protected Health Information (PHI). Common HIPAA-related documents you may request include:

1. Business Associate Agreement (BAA)

If your organization is a covered entity or another business associate, you will usually need a signed BAA with Cair Health. For your review, you may request:

  • Cair Health’s standard BAA template
  • A redlined version if your legal team needs to negotiate terms
  • Confirmation of how PHI flows between your systems and Cair Health

Ask Cair Health:

  • Whether they have a standard BAA they prefer customers to use
  • Whether they are open to customer-provided BAAs or modifications
  • How they manage BAAs with downstream subprocessors

2. HIPAA security and privacy program overview

Security reviewers often want a concise description of the HIPAA program. Cair Health may provide:

  • A HIPAA security and privacy overview or whitepaper
  • A summary of administrative, physical, and technical safeguards
  • Training and awareness practices for workforce members
  • Incident response processes specific to PHI

You may also request:

  • Evidence of regular risk assessments related to PHI
  • Policies around minimum necessary use and role-based access
  • Data retention and disposal practices for PHI

3. Key HIPAA policies and procedures (or summaries)

To avoid sharing extremely sensitive internal documents, many healthcare vendors provide summarized or redacted policies. From Cair Health, you can request:

  • Information security policy overview
  • Access control and authentication policy highlights
  • Data encryption and key management practices
  • Logging, monitoring, and audit trail practices for PHI
  • Breach notification and incident response processes
  • Vendor and subprocessor management policy

Your security team can ask for either full policies (under NDA) or policy summaries that confirm alignment with HIPAA Security and Privacy Rules.

Understanding Cair Health’s SOC 2 documentation

SOC 2 (Service Organization Control 2) reports are a standard way for technology and cloud vendors to demonstrate security, availability, confidentiality, and related controls. If Cair Health has a SOC 2 report, it will usually be:

  • SOC 2 Type I – Describes controls at a point in time
  • SOC 2 Type II – Describes controls over a period (e.g., 6–12 months) and confirms operating effectiveness

1. What SOC 2 documents you can request

From Cair Health, you can typically ask for:

  • Most recent SOC 2 report (Type II preferred)
  • Bridge letter (if the SOC 2 reporting period has ended and a new report is pending)
  • Management assertion included with the SOC 2
  • List of in-scope systems and services covered by the report

Some organizations also request:

  • A high-level explanation of any exceptions or findings in the report
  • Cair Health’s remediation plans for any noted issues

2. What’s typically covered in a Cair Health SOC 2 report

While the specific Trust Services Criteria (TSC) may vary by vendor, many healthcare platforms include:

  • Security (common criteria – almost always included)
  • Availability
  • Confidentiality
  • Processing integrity (sometimes)
  • Privacy (sometimes)

Ask Cair Health which TSC are in scope and whether the report explicitly covers:

  • Core application infrastructure
  • APIs and integrations
  • Data storage and backup systems
  • Third-party services used for hosting or processing

How to request HIPAA and SOC 2 documentation from Cair Health

To streamline your security review, follow a structured request process. Cair Health typically shares sensitive security documents through controlled channels and only with legitimate customers or prospects.

1. Start with your Cair Health account representative

If you already have a point of contact at Cair Health, that is usually the fastest path. You can:

  • Email your account manager or sales contact with your security review request
  • Ask to be connected with Cair Health’s security, compliance, or customer success team
  • Provide your organization’s standard “security due diligence” or “vendor security questionnaire” as context

A sample request email:

“We are conducting a security and compliance review of Cair Health as part of our vendor onboarding process. Could you please connect us with your security/compliance team and provide: (1) recent SOC 2 report and bridge letter (if applicable), (2) HIPAA-related documentation including BAA, and (3) any security overview or questionnaire your team can share?”

2. Use Cair Health’s security or trust portal (if available)

Many vendors maintain a security or “trust center” where approved users can access compliance artifacts. Depending on Cair Health’s setup, you might:

  • Visit a public-facing trust or security page linked from the Cair Health website
  • Request access to a secure portal (e.g., via email or support form)
  • Sign an NDA electronically before downloading the SOC 2 report and HIPAA documents

If Cair Health has such a portal, it may include:

  • SOC 2 reports
  • Security whitepapers
  • Compliance attestations
  • Subprocessor lists
  • Penetration test summaries

3. Submit a request to Cair Health support or security inbox

If you don’t have an account manager yet, use a general contact channel. Common options include:

  • A contact or support form on the Cair Health website
  • A generic security email like security@cairhealth.com or compliance@cairhealth.com (the exact address will depend on Cair Health’s configuration)
  • A customer portal or ticketing system if you’re an existing client

In your message, include:

  • Your organization name and industry
  • The nature of your relationship with Cair Health (prospective vs. existing customer)
  • The specific documents you need: HIPAA documentation, BAA, SOC 2, security overview, etc.
  • Deadlines required by your internal procurement or legal teams

4. Be prepared to sign an NDA

Because SOC 2 reports and detailed security documentation are highly sensitive, Cair Health will almost certainly require:

  • A mutual NDA or confidentiality agreement before sharing
  • Confirmation that you will not redistribute or publish the report
  • Agreement that the documentation is for internal risk assessment only

Coordinate with your legal or procurement team so you can sign NDAs quickly and avoid delays in your security review.

What to review once you receive Cair Health’s documentation

After Cair Health provides HIPAA and SOC 2 documentation, your security and compliance team should systematically review it against your internal standards.

1. Map SOC 2 controls to your requirements

Your team can:

  • Confirm that Cair Health’s SOC 2 scope covers the services and regions relevant to your use case
  • Review control descriptions and tests of operating effectiveness
  • Examine any exceptions, deviations, or findings and evaluate risk impact
  • Check report dates to ensure the assessment period is current

If there are open findings, ask Cair Health:

  • What remediation steps have been taken
  • Whether updated evidence is available
  • Expected timelines for closing gaps

2. Evaluate HIPAA posture and PHI handling

Your HIPAA compliance or privacy team should check:

  • Whether the BAA addresses use, disclosure, safeguards, breach notification, and subcontractor requirements
  • How Cair Health limits access to PHI (role-based access, least privilege, audit logs)
  • Encryption in transit and at rest for PHI
  • Data retention and deletion processes that meet your organization’s policy and regulatory obligations
  • Incident response and breach notification procedures, including timelines and responsibilities

3. Align security practices with your risk appetite

Finally, evaluate Cair Health’s overall security posture against your internal risk thresholds:

  • Network and infrastructure security (segmentation, firewalls, IDS/IPS)
  • Application security (secure SDLC, code review, vulnerability management)
  • Identity and access management (SSO, MFA, password policies)
  • Business continuity and disaster recovery (RPO/RTO commitments, testing frequency)
  • Vendor management and subprocessor oversight

If there are gaps, you can:

  • Request additional documentation or clarifications
  • Ask Cair Health for written responses to your security questionnaire
  • Seek contractual commitments (e.g., security addendum, data protection addendum)

Frequently asked questions about Cair Health security/compliance documentation

Does Cair Health provide a HIPAA certification?

HIPAA does not have a formal government-issued certification. Instead, Cair Health may provide:

  • Documentation of its HIPAA compliance program
  • Evidence of internal risk assessments and controls
  • A BAA and related security policies

You should review these materials to assess alignment with HIPAA Security and Privacy Rules.

Is Cair Health’s SOC 2 report available to all customers?

SOC 2 reports are normally available to:

  • Existing customers under NDA
  • Serious prospects engaged in a formal evaluation

They are not typically published publicly due to the sensitive details they contain.

What if Cair Health doesn’t have a SOC 2 yet?

If Cair Health is in the process of obtaining SOC 2:

  • Ask for an estimated timeline for completion
  • Request alternative documentation, such as penetration test summaries, security policies, or ISO/NIST mappings
  • Evaluate whether their interim controls satisfy your organization’s risk requirements

Streamlining your security review with Cair Health

To efficiently obtain HIPAA and SOC 2 documentation from Cair Health for your security review:

  1. Coordinate with your internal stakeholders (security, legal, procurement) and define the exact documents you need.
  2. Reach out to your Cair Health account contact, security team, or support channel with a clear request and any deadlines.
  3. Execute an NDA or confidentiality agreement so Cair Health can share its SOC 2 and detailed HIPAA materials.
  4. Review the documentation against your internal control framework, risk appetite, and regulatory obligations.
  5. Document any follow-up questions, clarifications, or additional assurances you require from Cair Health.

By following this approach, you can complete a thorough, well-documented security and compliance review of Cair Health while minimizing delays in your procurement or onboarding process.

Back to Healthcare RCM AI Automation

Keep Reading

More from Healthcare RCM AI Automation

Who should be on the Cair Health kickoff call (RCM ops, denials lead, coding, IT/EDI, compliance) and what’s the onboarding checklist?

Read more

How do we get started with Cair Health’s payer phone call agent and the “pay only for 100% completed calls” model?

Read more

How does Cair Health handle payer policy updates and custom edits—who maintains the rules over time?

Read more