When properly used, OhMD allows for HIPAA compliant messaging with colleagues and patients.  Below are the technical details on OhMD's architecture the highlights of what makes OhMD a HIPAA compliant solution are:

  • By signing up/in you agree to our BAA which you can find in the App and here.

  • Data is fully encrypted in transit and at rest.

  • No PHI is ever stored locally on your device.


OhMD is a secure messaging platform hosted by Amazon utilizing their EC2 HIPAA compliant service. OhMD and Amazon have an executed BAA in place.
The physical servers are located only in their U.S. East Region only. Our information/network security approach complies with NIST standards. OhMD is Meaningful Use 2/ONC Certified.


  • Unique usernames and passwords are used.

  • Passwords must be 8 characters (alphanumeric)

  • The system protects passwords from unauthorized disclosure and modification when stored and transmitted and prohibits passwords from being displayed when entered.

  • Passwords are encrypted with SSHA1 before being stored in the database.

Access Control

  • Standard users can be terminated by client-side administrators. Client-side administrators can be terminated by OhMD Support.

  • Access rights for different types of user accounts (administrators, standard users) are segregated using different user IDs and access is restricted to a need-to-know, least privilege basis.

Session Management and Transmission Security

  • The system implements a session lock after a period of 10 minutes of inactivity

  • Session IDs are randomly generated to avoid brute force access.

  • We employ TLS RSA with ARIA-256-CBC/SHA384 for XMPP/Message Delivery and AES-256 for web service call out.

Media and Data Protection

  • We encrypt data at rest using AES-256.

  • Our data retention policies are designed to keep all information for an unlimited period of time.

System Security and Vulnerability Management

  • Our platform has been tested for vulnerabilities by a third party security organization and passed all tests. These tests were based on the latest OWASP vulnerabilities lists for mobile and web applications.

  • Security assessments are conducted internally prior to every release, and by a third party for every major release.


  • OhMD utilizes Ubuntu 14.04.1 LTS, Couchbase 4.5.2, nodejs 0.10.35

Did this answer your question?