AI EMR Integration: Technical Guide for IT Leaders

What You'll Learn:

• 🔐 HIPAA-compliant AI EMR integration technical architecture and security frameworks
• 🔄 FHIR, HL7, and API integration patterns for major EMR systems
• ⚡ 5-10 day implementation roadmap with pre-deployment checklists
• 📊 Real-world performance benchmarks and monitoring protocols

The healthcare IT landscape is shifting from reactive documentation tools to proactive clinical operating systems. As IT leaders and CMIOs evaluate AI solutions for their organizations, the technical implementation details—integration patterns, security frameworks, and deployment timelines—become critical decision factors.

This comprehensive technical guide addresses the core infrastructure requirements for AI EMR integration technical implementations, specifically focusing on conversational clinical operating systems that go beyond basic AI scribes. While traditional AI scribes passively document encounters, next-generation platforms actively orchestrate clinical workflows, requiring deeper EMR integration and more sophisticated technical architecture.

The stakes are high: 63% of physicians experience burnout, with administrative burden—not clinical complexity—driving the crisis. AI scribes have achieved only 4% burnout reduction because they solve documentation but leave the broader workflow untouched. Antidote's conversational clinical operating system achieves 13% burnout reduction by orchestrating the complete clinical workflow through proactive AI that anticipates next actions, not just transcribes conversations.

For IT leaders, this means evaluating not just API capabilities, but the entire technical ecosystem: bi-directional data synchronization, real-time order entry, clinical decision support integration, and proactive workflow orchestration—all while maintaining HIPAA compliance, SOC 2 Type II certification, and enterprise-grade security.

---

📋 Executive Summary

Technical Overview

Modern healthcare IT AI integration requires a fundamental shift from passive documentation tools to active clinical orchestration platforms. Antidote's conversational clinical operating system represents this evolution, providing a HIPAA-compliant, SOC 2 Type II certified platform that integrates bidirectionally with major EMR systems through FHIR, HL7, and proprietary APIs.

Unlike traditional AI scribes that operate as isolated documentation tools, Antidote functions as a clinical operating system layer that sits between the physician and the EMR, orchestrating the complete patient encounter workflow. This architectural approach requires deeper technical integration but delivers substantially greater clinical value.

Key Technical Capabilities

Capability	Traditional AI Scribes	Antidote Clinical OS
EMR Integration Depth	Read-only or minimal write	Full bi-directional CRUD operations
Integration Methods	Basic API	FHIR, HL7 v2/v3, SMART on FHIR, REST APIs
Data Synchronization	One-way (AI → EMR)	Real-time bi-directional
Workflow Orchestration	Manual physician actions	Proactive AI-driven automation
Clinical Decision Support	None	Integrated with evidence-based protocols
Order Entry Integration	None	Direct order creation and submission
Implementation Timeline	2-4 weeks	5-10 days

Integration Approach

Antidote employs a multi-layered integration strategy that prioritizes security, reliability, and clinical workflow continuity:

1. EMR-Native Integration: Direct FHIR and HL7 interfaces with Epic, Cerner, athenahealth, MEDITECH, and other major EMRs
2. Middleware Compatibility: Integration engine support for Rhapsody, Mirth Connect, and Cloverleaf
3. API-First Architecture: RESTful APIs with OAuth 2.0 authentication and role-based access control
4. Real-Time Synchronization: Sub-second data updates with conflict resolution and version control
5. Fallback Mechanisms: Graceful degradation and offline capabilities for network interruptions

Security and Compliance Summary

Antidote maintains enterprise-grade security standards across all deployment scenarios:

• HIPAA Compliance: Full BAA coverage with comprehensive technical, administrative, and physical safeguards
• SOC 2 Type II Certified: Annual third-party audits of security, availability, and confidentiality controls
• Encryption Standards: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Multi-factor authentication, role-based access control (RBAC), and just-in-time provisioning
• Audit Logging: Comprehensive audit trails with immutable logs and SIEM integration
• Data Residency: Configurable data storage locations for compliance with state and international regulations

Implementation typically requires 5-10 days from contract signature to production deployment, including integration testing, security validation, and physician training. This accelerated timeline—compared to 2-4 weeks for traditional AI scribes—results from Antidote's pre-built EMR connectors and automated configuration workflows.

---

🏗️ Architecture Overview

System Architecture

Antidote's conversational clinical operating system employs a cloud-native, microservices architecture designed for high availability, scalability, and security. The platform operates as an intelligent middleware layer between physicians and EMR systems, orchestrating clinical workflows through real-time AI analysis and proactive action recommendations.

Component Breakdown

1. Edge Audio Processing Layer

The edge layer handles audio capture, noise cancellation, and initial preprocessing on physician devices (mobile, desktop, or dedicated hardware). This distributed approach minimizes latency and reduces bandwidth requirements while maintaining HIPAA compliance through local encryption before cloud transmission.

• Audio Capture: Multi-channel support for ambient room audio or directed microphones
• Noise Cancellation: Advanced DSP algorithms to filter background noise, keyboard clicks, and environmental sounds
• Speaker Diarization: Real-time identification of physician vs. patient speech patterns
• Local Encryption: AES-256 encryption applied before network transmission
• Bandwidth Optimization: Adaptive compression based on network conditions

2. Natural Language Processing Engine

Antidote's NLP engine transcribes and interprets clinical conversations in real-time, extracting structured data, clinical intent, and workflow context. Unlike basic transcription services, the NLP engine understands medical terminology, abbreviations, and clinical context.

• Medical Speech Recognition: 98.5% accuracy for medical terminology and drug names
• Clinical Entity Extraction: Automatic identification of symptoms, diagnoses, medications, and orders
• Contextual Understanding: Interpretation of clinical reasoning and decision-making patterns
• Multi-Language Support: English, Spanish, and additional languages in development
• Continuous Learning: Model updates based on practice-specific terminology and patterns

3. Clinical Intelligence Layer

This proprietary component differentiates Antidote from reactive AI scribes. The clinical intelligence layer analyzes conversation context, patient history, and evidence-based protocols to proactively suggest next actions.

• Predictive Action Modeling: Machine learning models trained on millions of clinical encounters
• Evidence-Based Protocol Integration: Guidelines from AMA, ACC/AHA, ADA, and specialty societies
• Risk Stratification: Real-time identification of clinical red flags and safety concerns
• Differential Diagnosis Support: Probability-weighted diagnosis suggestions based on symptoms
• Treatment Pathway Optimization: Personalized recommendations based on patient history and comorbidities

4. Workflow Orchestration Engine

The orchestration engine coordinates actions across multiple systems, managing dependencies, timing, and error handling to ensure seamless workflow execution.

• Action Sequencing: Intelligent ordering of tasks based on clinical priorities and dependencies
• Parallel Processing: Simultaneous execution of independent actions to minimize wait times
• Error Handling: Automatic retry logic with fallback options for failed actions
• State Management: Persistent workflow state across sessions and devices
• Rollback Capabilities: Transaction-safe operations with automatic rollback on failures

5. EMR Integration Layer

The integration layer provides normalized interfaces to diverse EMR systems, abstracting vendor-specific APIs into a unified data model.

EMR System	Integration Method	Supported Operations	Typical Latency
Epic	FHIR R4, HL7 v2.5, Interconnect APIs	Full CRUD, Order Entry, Documentation	<500ms
Cerner	FHIR STU3/R4, CCL, Millennium APIs	Full CRUD, Order Entry, Documentation	<600ms
athenahealth	athenaNet APIs, FHIR R4	Documentation, Orders, Patient Data	<700ms
MEDITECH	HL7 v2.3/v2.5, Magic/C# APIs	Documentation, ADT, Orders	<800ms
Allscripts	HL7 v2.5, FHIR STU3	Documentation, Orders	<700ms
eClinicalWorks	HL7 v2.5, REST APIs	Documentation, Patient Data	<800ms

Data Flow Architecture

Real-Time Encounter Flow:

Bi-Directional Synchronization:

Antidote maintains continuous synchronization with EMR systems to ensure data consistency and enable proactive intelligence:

• Patient Context Updates: Real-time monitoring of lab results, vital signs, and nursing notes
• Medication Reconciliation: Automatic detection of medication changes from other providers
• Schedule Synchronization: Integration with appointment systems for encounter preparation
• Problem List Updates: Tracking of diagnosis changes and care plan modifications
• Care Team Coordination: Visibility into specialist consultations and care transitions

Technology Stack

Infrastructure:

• Cloud Provider: AWS (primary), Azure (available), GCP (available)
• Compute: Kubernetes (EKS) for container orchestration
• Database: PostgreSQL (primary), Redis (caching), Elasticsearch (search)
• Message Queue: Apache Kafka for event streaming
• API Gateway: Kong for API management and rate limiting

Security & Compliance:

• Identity Management: Okta, Azure AD, or SAML 2.0 SSO
• Secrets Management: HashiCorp Vault
• Certificate Management: AWS Certificate Manager or Let's Encrypt
• WAF: AWS WAF or Cloudflare for DDoS protection
• SIEM Integration: Splunk, Datadog, or ELK stack compatible

AI/ML Stack:

• NLP Models: Proprietary medical language models fine-tuned on clinical conversations
• ML Framework: PyTorch for model training and inference
• Model Serving: TensorFlow Serving with GPU acceleration
• Feature Store: Feast for feature engineering and serving
• MLOps: MLflow for experiment tracking and model versioning

Integration Points

Antidote provides multiple integration touchpoints for comprehensive healthcare IT AI integration:

1. EMR Integration: Bi-directional data exchange via FHIR, HL7, and proprietary APIs
2. Identity Provider: SSO integration with hospital authentication systems
3. Clinical Decision Support: Integration with Zynx, UpToDate, or custom CDS systems
4. Lab Systems: HL7 interfaces for lab orders and results
5. Pharmacy Systems: e-Prescribing via Surescripts or direct pharmacy interfaces
6. Imaging Systems: DICOM integration for radiology orders and results
7. Patient Portal: API integration for patient-facing communications
8. Analytics Platforms: Data export to Epic Cogito, Health Catalyst, or custom data warehouses

---

🔄 EMR Integration Deep Dive

Supported EMR Systems

Antidote provides native integration with all major EMR platforms, representing over 85% of the U.S. hospital market. Our integration approach prioritizes depth over breadth—rather than superficial connections to dozens of systems, we focus on comprehensive, bi-directional integration with the most widely deployed EMRs.

Enterprise EMR Systems:

EMR Platform	Market Share	Integration Maturity	Supported Versions	Key Integration Features
Epic	31%	Production	2018+, Hyperspace 2020+	FHIR R4, Interconnect, In Basket integration
Cerner	25%	Production	Millennium 2015+, Soarian	FHIR R4, CCL, PowerChart integration
MEDITECH	16%	Production	6.x, Expanse	HL7 v2.5, Magic APIs, Expanse APIs
Allscripts	8%	Production	Sunrise, Professional	FHIR STU3, HL7 v2.5, dbMotion
athenahealth	6%	Production	athenaOne 2019+	athenaNet APIs, FHIR R4

Ambulatory EMR Systems:

• eClinicalWorks: REST APIs, HL7 v2.5, patient portal integration
• NextGen: HL7 v2.5, NextGen APIs, Mirth Connect compatibility
• DrChrono: REST APIs, OAuth 2.0, mobile-first integration
• Practice Fusion: REST APIs, FHIR STU3 (limited)
• Modernizing Medicine: EMA APIs, specialty-specific workflows

Custom and Legacy Systems:

For organizations with custom-built or legacy EMR systems, Antidote provides flexible integration options through standard protocols and custom adapter development. Our integration team has successfully deployed with over 40 different EMR platforms, including proprietary hospital systems and international EMRs.

Integration Methods and Protocols

FHIR (Fast Healthcare Interoperability Resources)

FHIR R4 Implementation:

Antidote's primary integration method leverages FHIR R4, the modern standard for healthcare data exchange. FHIR provides RESTful APIs with standardized resource definitions, enabling consistent data access across EMR platforms.

Supported FHIR Resources:

FHIR Operations:

• Read: Retrieve individual resources by ID
• Search: Query resources with complex filters and parameters
• Create: Add new resources (orders, documentation, tasks)
• Update: Modify existing resources with version control
• Patch: Partial updates for efficiency
• Transaction: Batch operations with atomicity guarantees

SMART on FHIR:

For Epic and other SMART-enabled EMRs, Antidote implements SMART on FHIR for secure, context-aware integration:

• Launch Contexts: EHR launch with patient and encounter context
• OAuth 2.0 Authorization: Secure token-based authentication
• Scopes: Granular permission control (patient/.read, user/.write)
• Refresh Tokens: Long-lived sessions without repeated authentication
• Standalone Launch: Independent Antidote access for mobile workflows

HL7 v2.x and v3 Integration

For EMRs with limited FHIR support or legacy systems, Antidote provides comprehensive HL7 integration:

HL7 v2.5 Message Types:

Message Type	Purpose	Antidote Use Case	Frequency
ADT^A01	Patient Admission	Encounter initiation, context loading	Per encounter
ADT^A08	Patient Update	Demographics sync, insurance changes	Real-time
ORM^O01	Order Entry	Lab, imaging, medication orders	Per order
ORU^R01	Results Reporting	Lab results, vital signs	Real-time
MDM^T02	Document Update	Clinical note finalization	Per note
SIU^S12	Schedule Notification	Appointment scheduling	Real-time
DFT^P03	Charge Posting	Billing integration	Per encounter

HL7 v3 CDA (Clinical Document Architecture):

Antidote generates and consumes CDA documents for comprehensive clinical documentation exchange:

• C-CDA R2.1: Continuity of Care Documents (CCD)
• Consultation Notes: Structured specialist referral documentation
• Discharge Summaries: Hospital discharge documentation
• Progress Notes: Ambulatory encounter notes

Proprietary EMR APIs

Epic Interconnect APIs:

Beyond FHIR, Antidote leverages Epic's proprietary Interconnect platform for deeper integration:

• MyChart Integration: Patient-facing communication and portal updates
• In Basket: Direct task creation and message routing to care team
• Care Everywhere: Cross-organization health information exchange
• Reporting Workbench: Custom reporting and analytics integration
• Cognitive Computing Platform: Integration with Epic's AI infrastructure

Cerner Millennium APIs:

• CCL (Cerner Command Language): Direct database queries for complex data retrieval
• MillenniumObjects: Object-oriented API for PowerChart integration
• Open Engine: Real-time event notifications and triggers
• Population Health APIs: Cohort management and quality measure tracking

athenahealth athenaNet APIs:

• Clinical APIs: Documentation, orders, and clinical data management
• Practice Management: Scheduling, billing, and administrative functions
• Patient Engagement: Portal messaging and appointment requests
• Population Health: Registry management and quality reporting

Data Synchronization Architecture

Real-Time Bi-Directional Sync:

Antidote maintains continuous synchronization with EMR systems to enable proactive intelligence and ensure data consistency. Unlike AI scribes that perform one-way data writes, our platform monitors EMR changes and adapts recommendations in real-time.

Synchronization Patterns:

1. Event-Driven Updates: Real-time webhooks and HL7 feeds for immediate data changes
2. Polling: Periodic API queries for systems without event notifications (1-5 minute intervals)
3. Batch Synchronization: Nightly full reconciliation for data integrity verification
4. Delta Sync: Incremental updates based on change timestamps to minimize bandwidth

Conflict Resolution:

When simultaneous updates occur from multiple sources, Antidote employs intelligent conflict resolution:

Conflict Scenario	Resolution Strategy	Example
Concurrent medication changes	Last-write-wins with physician notification	Nurse adds med while physician dictates
Diagnosis code updates	Merge with deduplication	Multiple providers document same condition
Vital sign discrepancies	Timestamp-based prioritization	Manual vs. device-recorded vitals
Documentation conflicts	Version control with manual review	Multiple note amendments

Data Consistency Guarantees:

• Eventual Consistency: All systems converge to same state within 30 seconds
• Transaction Safety: Atomic operations with rollback on failures
• Audit Trail: Complete history of all data changes with user attribution
• Version Control: Immutable change history for compliance and debugging

Custom Integration Support

Integration Accelerator Program:

For organizations with unique EMR configurations or custom systems, Antidote provides dedicated integration engineering support:

• Custom Adapter Development: 4-6 week development cycle for new EMR platforms
• Legacy System Modernization: HL7 or API wrappers for older systems
• Middleware Integration: Native support for Rhapsody, Mirth Connect, Cloverleaf
• Data Transformation: Custom mapping for non-standard data models
• Testing and Validation: Comprehensive integration testing in sandbox environments

Integration Timeline for Custom Systems:

Integration Success Metrics:

Antidote tracks comprehensive metrics to ensure integration quality and performance:

• API Latency: p50, p95, p99 response times for all endpoints
• Error Rates: Failed requests, timeout rates, and retry success
• Data Accuracy: Field-level validation against EMR source data
• Sync Lag: Time delta between EMR changes and Antidote updates
• Uptime: 99.9% availability SLA for integration layer

---

🔐 Security & Compliance Framework

HIPAA Compliance Architecture

Antidote maintains comprehensive HIPAA compliance across all technical, administrative, and physical safeguards required under the Health Insurance Portability and Accountability Act. Our compliance framework exceeds minimum requirements to provide defense-in-depth security for protected health information (PHI).

Technical Safeguards:

HIPAA Requirement	Antidote Implementation	Validation Method
Access Control (§164.312(a)(1))	Role-based access control (RBAC), MFA, session management	Annual penetration testing
Audit Controls (§164.312(b))	Comprehensive audit logging, immutable logs, SIEM integration	SOC 2 Type II audit
Integrity (§164.312(c)(1))	Digital signatures, checksums, version control	Automated integrity checks
Authentication (§164.312(d))	Multi-factor authentication, SSO, biometric options	Security assessments
Transmission Security (§164.312(e)(1))	TLS 1.3, VPN support, certificate pinning	Quarterly vulnerability scans

Administrative Safeguards:

• Security Management Process: Risk assessments, incident response plans, disaster recovery procedures
• Workforce Security: Background checks, security training, access termination protocols
• Information Access Management: Least privilege access, periodic access reviews, automated deprovisioning
• Security Awareness Training: Annual HIPAA training, phishing simulations, security newsletters
• Incident Response: 24/7 security operations center, breach notification procedures

Physical Safeguards:

• Facility Access Controls: SOC 2 certified data centers (AWS, Azure, GCP)
• Workstation Security: Encrypted devices, remote wipe capabilities, VPN requirements
• Device and Media Controls: Secure disposal, media encryption, asset tracking

Business Associate Agreements (BAA):

Antidote provides comprehensive BAAs covering all HIPAA obligations, including:

• Permitted uses and disclosures of PHI
• Safeguard implementation requirements
• Breach notification obligations (within 24 hours of discovery)
• Subcontractor management and BAA flow-down
• Audit and inspection rights
• Termination and data return provisions

SOC 2 Type II Certification

Antidote maintains SOC 2 Type II certification, demonstrating compliance with AICPA Trust Services Criteria across five key areas:

1. Security:

• Network security controls (firewalls, IDS/IPS, DDoS protection)
• Vulnerability management (quarterly scans, annual penetration tests)
• Change management (code reviews, deployment approvals, rollback procedures)
• Incident response (24/7 monitoring, escalation procedures, post-incident reviews)

2. Availability:

• 99.9% uptime SLA with financial penalties for non-compliance
• Multi-region redundancy for disaster recovery
• Automated failover and load balancing
• Capacity planning and performance monitoring

3. Confidentiality:

• Data classification and handling procedures
• Non-disclosure agreements with all employees and contractors
• Confidential data encryption at rest and in transit
• Secure data disposal and retention policies

4. Processing Integrity:

• Data validation and error handling
• Transaction logging and reconciliation
• Quality assurance testing for all releases
• Monitoring of data processing accuracy

5. Privacy:

• Privacy policy and notice procedures
• Data subject access request (DSAR) workflows
• Data minimization and purpose limitation
• Third-party data sharing controls

Annual Audit Process:

Antidote undergoes annual SOC 2 Type II audits by independent third-party auditors (Big Four accounting firms). The audit report is available to customers under NDA and covers a 12-month observation period.

Encryption Standards and Implementation

Data Encryption at Rest:

All PHI stored in Antidote systems is encrypted using AES-256 encryption with the following implementation details:

• Database Encryption: PostgreSQL Transparent Data Encryption (TDE) with customer-managed keys
• File Storage: AWS S3 server-side encryption (SSE-KMS) or Azure Storage Service Encryption
• Backup Encryption: Encrypted backups with separate key management
• Key Rotation: Automatic 90-day key rotation with zero-downtime
• Key Management: AWS KMS, Azure Key Vault, or HashiCorp Vault with HSM backing

Data Encryption in Transit:

All network communication uses TLS 1.3 (or TLS 1.2 minimum) with perfect forward secrecy:

• API Communication: TLS 1.3 with certificate pinning for mobile apps
• EMR Integration: Encrypted VPN tunnels or TLS for all HL7/FHIR traffic
• Internal Services: Mutual TLS (mTLS) for microservice communication
• Database Connections: Encrypted connections with certificate validation
• Admin Access: VPN required with MFA for all administrative access

Encryption Key Hierarchy:

Access Controls and Authentication

Multi-Factor Authentication (MFA):

Antidote requires MFA for all user access with support for multiple authentication methods:

• TOTP (Time-based One-Time Password): Google Authenticator, Authy, Microsoft Authenticator
• Push Notifications: Duo, Okta Verify
• Hardware Tokens: YubiKey, RSA SecurID
• Biometric Authentication: Face ID, Touch ID for mobile devices
• SMS/Email OTP: Available as backup method (not recommended as primary)

Role-Based Access Control (RBAC):

Granular permission management based on job functions and responsibilities:

Role	Patient Data Access	EMR Write Access	Admin Functions	Audit Log Access
Physician	Full (assigned patients)	Full	None	Own actions
Nurse	Full (assigned patients)	Limited	None	Own actions
Medical Assistant	Limited (scheduled patients)	Limited	None	Own actions
Practice Administrator	Full (practice patients)	None	User management	Full
IT Administrator	None	None	Full	Full
Compliance Officer	Audit only	None	Compliance settings	Full

Single Sign-On (SSO) Integration:

Antidote integrates with hospital identity providers for seamless authentication:

• SAML 2.0: Okta, Azure AD, OneLogin, Ping Identity
• OpenID Connect: Modern OAuth 2.0-based SSO
• Active Directory: LDAP integration for on-premises environments
• Just-in-Time Provisioning: Automatic user creation from SSO attributes
• Session Management: Configurable session timeouts, idle timeouts, concurrent session limits

Privileged Access Management:

For administrative and integration accounts with elevated privileges:

• Just-in-Time (JIT) Access: Temporary privilege elevation with approval workflows
• Session Recording: Video recording of privileged sessions for audit purposes
• Breakglass Procedures: Emergency access protocols with automatic alerts
• Service Accounts: API keys with IP restrictions and expiration dates
• Secrets Rotation: Automatic credential rotation for integration accounts

Audit Logging and Monitoring

Comprehensive Audit Trail:

Antidote logs all PHI access and system actions with immutable, tamper-evident audit logs:

Logged Events:

• User authentication (successful and failed attempts)
• PHI access (read, create, update, delete operations)
• Configuration changes (system settings, user permissions)
• Integration events (EMR API calls, data synchronization)
• Security events (MFA failures, suspicious activity, policy violations)
• Administrative actions (user provisioning, role changes, system maintenance)

Audit Log Retention:

• Active Logs: 90 days in hot storage for real-time analysis
• Archive Logs: 7 years in cold storage for compliance requirements
• Immutability: Write-once storage with cryptographic verification
• Export Capability: CSV, JSON, or SIEM-compatible formats

Security Information and Event Management (SIEM):

Antidote integrates with enterprise SIEM platforms for centralized security monitoring:

• Supported SIEMs: Splunk, Datadog, ELK Stack, Azure Sentinel, AWS Security Hub
• Real-Time Streaming: Sub-second event delivery via Kafka or syslog
• Custom Alerts: Configurable alerting rules for security events
• Threat Intelligence: Integration with threat feeds and vulnerability databases
• Incident Response: Automated playbooks for common security scenarios

Anomaly Detection:

Machine learning-based detection of unusual access patterns and potential security incidents:

• User Behavior Analytics (UBA): Baseline normal behavior and flag anomalies
• Impossible Travel: Geographic location inconsistencies
• Bulk Data Access: Unusual volume of patient record access
• Off-Hours Activity: Access outside normal working hours
• Failed Authentication Patterns: Potential brute force attempts

Data Residency and Sovereignty

Geographic Data Storage:

Antidote provides configurable data storage locations to meet regulatory and organizational requirements:

Region	Data Center Locations	Compliance Certifications	Typical Use Case
US East	Virginia, Ohio	HIPAA, SOC 2, HITRUST	East Coast healthcare systems
US West	Oregon, California	HIPAA, SOC 2, HITRUST