Security & Trust
How No Prior Authorization protects your health data
"No Prior Authorization exists to restore continuity and patient control in healthcare. It does not replace clinicians, does not diagnose, and does not monetize personal health data."
Core Principles
Patient Remains Root Authority
You are the ultimate owner of your health data. No one can override your decisions.
No Silent Access, Ever
Every access to your data is logged and visible to you. No hidden backdoors.
No PHI Monetization
Your health information is never sold, rented, or monetized. Your trust is not for sale.
No Diagnostic Authority
We organize information, not interpret it medically. We don't replace your doctors.
No Vendor Lock-In
Export all your data anytime with one click. If you can't leave, you won't trust us.
No Data Hoarding
We collect only what's necessary. Your data belongs to you, not our analytics.
Security Measures
Encryption at Rest & Transit
All data is encrypted using industry-standard AES-256 encryption at rest and TLS 1.3 in transit.
Optional Two-Factor Authentication
Enable TOTP-based MFA for an extra layer of protection on your account.
Session Management
View and revoke active sessions anytime. Get alerts for unusual login activity.
Immutable Audit Logs
Every action is logged and cannot be altered. Full transparency into who accessed what.
Emergency Access Controls
Opt-in emergency access that's time-limited, read-only, and fully auditable.
Regular Security Audits
Periodic security assessments and penetration testing to identify vulnerabilities.
What We Will Never Build
These features will never exist in NPA, regardless of technical feasibility or business pressure. This list protects you and our mission.
- ✕Automatic provider access without your explicit consent
- ✕Silent data sharing or background data collection
- ✕AI diagnosis, treatment advice, or risk scoring
- ✕Data resale, ad targeting, or PHI monetization
- ✕Insurance decision engines or coverage influence
- ✕Social features, public profiles, or sharing feeds
- ✕Dark patterns, addiction mechanics, or manipulative UX
- ✕Features that trap you or penalize leaving
Data Policies
Data Retention
- Active account: Your control, indefinite
- Deleted account: 30 days maximum
- Audit logs: 7 years (legal requirement)
Breach Response
- Immediate containment
- Patient notification within 72 hours
- Public disclosure of scope
- Free identity protection
Your Rights
- ✓Access all your health data at any time
- ✓Export everything with one click
- ✓Delete your account and all data
- ✓Revoke any permission instantly
- ✓See who accessed your information
- ✓Control emergency access settings
- ✓Opt out of any future features
Questions or Concerns?
We take security seriously. If you have questions or want to report a security issue, please contact us.