Compliance & Security

Enterprise-grade security, comprehensive data sources, and HIPAA-aligned practices for healthcare credentialing at scale.

Authoritative Data Sources

API-Cert aggregates data from official government sources to provide comprehensive provider verification. Every check is backed by authoritative, primary-source data.

Primary Data Sources

State Professional Licensing Boards

Live

Official licensing authorities for all 50 states, DC, and US territories

  • Real-time integration with state board APIs where available
  • Daily sync from official state websites
  • Manual verification for states without digital access
  • Covers RN, LPN/LVN, NP, PA, MD, DO, and other healthcare licenses

OIG List of Excluded Individuals/Entities (LEIE)

Live

HHS Office of Inspector General exclusions from federal healthcare programs

  • Monthly updates from official OIG data feed
  • Covers Medicare, Medicaid, and other federal program exclusions
  • Historical exclusion data maintained
  • Automatic matching against provider names and identifiers

SAM.gov Exclusions Database

Live

System for Award Management federal contracting exclusions

  • Daily updates from SAM.gov API
  • Covers federal contracting and grant exclusions
  • Suspension and debarment records
  • Entity and individual-level screening

CMS Provider Data

Live

Centers for Medicare & Medicaid Services provider information

  • NPPES National Provider Identifier (NPI) registry
  • Medicare provider enrollment status
  • Provider revalidation dates
  • Specialty and taxonomy codes

DEA Practitioner Database

Live

Drug Enforcement Administration controlled substance registration

  • Active DEA registration verification
  • Schedule authority verification
  • Registration expiration monitoring
  • Multi-state DEA registration tracking

OFAC Specially Designated Nationals (SDN)

Live

Treasury Department sanctions and blocked persons list

  • Real-time screening against SDN list
  • Comprehensive name and alias matching
  • Address and identifier verification
  • Sanctions compliance monitoring

Social Security Death Master File (SSDMF)

Live

Verification that providers are not deceased

  • Monthly updates from authorized data sources
  • SSN-based death verification
  • Date of death information where available
  • Fraud prevention and identity verification

Data Freshness & Synchronization

State Licensing Boards

Daily

Automated sync every 24 hours with manual verification for critical updates

Federal Exclusions (OIG LEIE)

Monthly

Updated on the first business day following OIG's monthly release

SAM.gov Exclusions

Daily

Real-time API integration with daily batch reconciliation

NPPES NPI Registry

Weekly

Full data refresh every Sunday with incremental daily updates

DEA Registrations

Weekly

Bi-weekly updates with emergency sync for urgent verifications

OFAC SDN List

Real-time

Immediate updates via Treasury Department's real-time feed

Security & Data Protection

Data Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • End-to-end encryption for API communications
  • Encrypted database storage with PostgreSQL

Access Control

  • API key authentication for all requests
  • Rate limiting to prevent abuse
  • IP allowlisting for enterprise customers
  • Role-based access control (RBAC)

Infrastructure Security

  • AWS cloud infrastructure with SOC 2 compliance
  • Multi-region deployment for redundancy
  • Regular security patching and updates
  • DDoS protection and threat monitoring

Monitoring & Logging

  • Comprehensive audit logs for all API calls
  • Real-time security monitoring and alerting
  • Anomaly detection for unusual access patterns
  • Incident response procedures and escalation

HIPAA & Healthcare Compliance

Provider Data, Not Patient Data

API-Cert processes professional license and credentialing data, not protected health information (PHI). We verify providers, not patients. However, we maintain HIPAA-aligned security practices throughout our operations.

Data We Process

  • • Professional license numbers and statuses
  • • Provider names and professional identifiers
  • • License expiration and renewal dates
  • • Disciplinary actions and sanctions
  • • Professional certifications and credentials

Data We Don't Store

  • • Patient health information (PHI)
  • • Treatment records or medical data
  • • Financial or billing information
  • • Personal addresses or contact details
  • • Social security numbers or sensitive IDs

Audit Trail & Logging

Every verification request is logged with comprehensive metadata for compliance, auditing, and quality assurance purposes.

What We Log

Request Details

  • • Timestamp (UTC) of request
  • • Unique request ID
  • • API key and organization identifier
  • • Search parameters and provider identifiers
  • • Response time and performance metrics

Verification Results

  • • Data sources checked and results
  • • License status and verification outcome
  • • Any exclusions or disciplinary findings
  • • Data freshness timestamps
  • • Quality assurance flags and notes

Retention & Access

  • • Logs retained for 7 years for regulatory compliance
  • • Customer audit reports available on request
  • • Immutable log storage with cryptographic integrity
  • • SOX and regulatory audit support

Uptime & System Health

99.9%

Uptime SLA

Monthly average over trailing 12 months

<20ms

Average Response Time

95th percentile globally

24/7

Monitoring

Automated alerts and incident response

Health Monitoring

Real-time Monitoring

  • • API endpoint availability and response times
  • • Database performance and connection health
  • • Data source connectivity and sync status
  • • Error rates and failure pattern detection

Proactive Maintenance

  • • Scheduled maintenance windows (low-traffic periods)
  • • Performance optimization and capacity planning
  • • Security patching and system updates
  • • Disaster recovery testing and validation
System Status: All systems operational

Check real-time status at api-cert.com/status

Future Compliance Initiatives

SOC 2 Type II Certification

Planned

Comprehensive third-party audit of our security, availability, and confidentiality controls.

  • • Independent validation of security practices
  • • Annual certification and ongoing compliance
  • • Enterprise customer requirement fulfillment
  • • Trust Services Criteria compliance

NCQA CVO Certification

Planned

National Committee for Quality Assurance Credentials Verification Organization certification.

  • • Healthcare industry-specific accreditation
  • • Primary source verification validation
  • • Quality assurance process certification
  • • Healthcare organization trust and adoption

Questions About Compliance?

Our compliance and security team is available to answer questions about our practices, certifications, and how API-Cert fits into your organization's compliance requirements.

Contact Compliance TeamView Technical Documentation