Frequently Asked Questions:


  • Are you HIPAA Compliant?

    We meet or exceed the physical, technical, and administrative security requirements of HIPAA and we continue to improve our ability to safeguard data and measure our state of compliance. For details, please read our Privacy Policy:

  • What does xCures do to protect security?

    The security of your data is of paramount importance to xCures. It begins when you sign an Authorization for the Release of Medical Information in accordance with the HIPAA patient right of access, allowing xCures to request information from your treating institutions(compliant with 45 CFR 164.524). Data is sent securely from the treating institutions to xCures, where, per XCELSIOR Study Informed Consent you have also completed, it is able to be stored in an Electronic Data Capture (EDC) system, compliant with 21 CFR Part 11. EDCs that are Part 11 compliant meet the FDA’s criteria for security and accuracy for tasks, such as clinical trials and regulatory submissions. 

    Access to personally-identifiable health information (PHI) is restricted to you, the health care providers you have identified or who are providing treatment to you, and only those xCures employees who need access for their jobs (all such employees take training in handling PHI). Some xCures employees, such as software developers, who need access to the format of the data to but not the content, can access a version of data in which all PHI has been removed and replaced with tokens, so as to protect your privacy. 

    All data at rest within the system (e.g., in files, in databases is encrypted. All data in motion (e.g., being viewed in a web browser, or sent via email) is likewise encrypted in transit. This is done to protect privacy at all times. We use various technologies to hinder and prevent e attacks on our web portals and data infrastructure by malicious actors. In addition, we provide security training to all xCures employees regarding best security practices and the handling of PHI, and we monitor our infrastructure for signs of intrusion or hacking attempts.