Compliance & Security

Enterprise-grade security, comprehensive data sources, and HIPAA-aligned practices for healthcare credentialing at scale.

Authoritative Data Sources

API-Cert aggregates data from official government sources to provide comprehensive provider verification. Every check is backed by authoritative, primary-source data.

Primary Data Sources

State Professional Licensing Boards

Live

Direct integration with 13 state licensing boards, with NPPES baseline for all 50 states

  • Direct board data: AK, AL, CO, CT, DE, FL, IL, MA, MD, NJ, RI, TX, WA
  • Automated sync from official state data portals and APIs
  • NPPES/NPI baseline coverage for all remaining states
  • Covers MD, DO, NP, PA, RN, LPN, and other healthcare licenses

OIG List of Excluded Individuals/Entities (LEIE)

Live

HHS Office of Inspector General exclusions from federal healthcare programs

  • Monthly updates from official OIG data feed
  • Covers Medicare, Medicaid, and other federal program exclusions
  • Historical exclusion data maintained
  • Automatic matching against provider names and identifiers

SAM.gov Exclusions Database

Live

System for Award Management — federal debarment, sanctions, and exclusions

  • Updates from SAM.gov data extracts
  • Covers federal contracting and grant exclusions
  • Suspension and debarment records
  • Entity and individual-level screening

CMS Preclusion List

Live

Providers precluded from Medicare Advantage and Part D programs

  • Identifies providers barred from receiving payment under MA/Part D
  • Applies to prescribers who order, refer, or prescribe under Medicare
  • Updated with each CMS release cycle
  • Critical for organizations participating in Medicare programs

Medicare Opt-Out List

Live

Providers who have opted out of the Medicare program

  • Identifies providers who signed private contracts with beneficiaries
  • Opted-out providers cannot bill Medicare for any services
  • Relevant for credentialing teams evaluating payer participation
  • Updated from CMS quarterly releases

NPPES / NPI Registry

Live

National Plan and Provider Enumeration System — provider identity and taxonomy

  • NPI validation and provider identity verification
  • Taxonomy codes for specialty and provider type classification
  • Practice location and organizational affiliations
  • Baseline coverage for all 50 states and territories

DEA Registration

Live

Drug Enforcement Administration controlled substance authority

  • Verification of active DEA registration for prescribers
  • Applies to MD, DO, NP, PA, and other prescribing providers
  • Multi-state DEA registration tracking
  • Registration expiration monitoring

OFAC Specially Designated Nationals (SDN)

Live

U.S. Treasury Department sanctions and blocked persons list

  • Screening against the SDN list for sanctions compliance
  • Fuzzy name matching to catch variations and aliases
  • Required for organizations with federal compliance obligations
  • Updated with each OFAC release

Data Freshness & Synchronization

State Licensing Boards

Daily

Automated sync every 24 hours with manual verification for critical updates

Federal Exclusions (OIG LEIE)

Monthly

Updated on the first business day following OIG's monthly release

SAM.gov Exclusions

Daily

Real-time API integration with daily batch reconciliation

NPPES NPI Registry

Weekly

Full data refresh every Sunday with incremental daily updates

DEA Registrations

Weekly

Bi-weekly updates with emergency sync for urgent verifications

OFAC SDN List

Real-time

Immediate updates via Treasury Department's real-time feed

Security & Data Protection

Data Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • End-to-end encryption for API communications
  • Encrypted database storage with PostgreSQL

Access Control

  • API key authentication for all requests
  • Rate limiting to prevent abuse
  • IP allowlisting for enterprise customers
  • Role-based access control (RBAC)

Infrastructure Security

  • Hosted on Render (managed cloud) with Cloudflare CDN and edge protection
  • PostgreSQL with encrypted connections and automated backups
  • Regular security patching and dependency updates
  • Cloudflare DDoS protection and WAF

Monitoring & Logging

  • Comprehensive audit logs for all API calls
  • Real-time security monitoring and alerting
  • Anomaly detection for unusual access patterns
  • Incident response procedures and escalation

HIPAA & Healthcare Compliance

Provider Data, Not Patient Data

API-Cert processes professional license and credentialing data, not protected health information (PHI). We verify providers, not patients. However, we maintain HIPAA-aligned security practices throughout our operations.

Data We Process

  • • Professional license numbers and statuses
  • • Provider names and professional identifiers
  • • License expiration and renewal dates
  • • Disciplinary actions and sanctions
  • • Professional certifications and credentials

Data We Don't Store

  • • Patient health information (PHI)
  • • Treatment records or medical data
  • • Financial or billing information
  • • Personal addresses or contact details
  • • Social security numbers or sensitive IDs

Audit Trail & Logging

Every verification request is logged with comprehensive metadata for compliance, auditing, and quality assurance purposes.

What We Log

Request Details

  • • Timestamp (UTC) of request
  • • Unique request ID
  • • API key and organization identifier
  • • Search parameters and provider identifiers
  • • Response time and performance metrics

Verification Results

  • • Data sources checked and results
  • • License status and verification outcome
  • • Any exclusions or disciplinary findings
  • • Data freshness timestamps
  • • Quality assurance flags and notes

Retention & Access

  • • Logs retained for 7 years for regulatory compliance
  • • Customer audit reports available on request
  • • Immutable log storage with cryptographic integrity
  • • SOX and regulatory audit support

System Status & Uptime

Real-time API health, state coverage, and data source status.

View Status Page →

Future Compliance Initiatives

SOC 2 Type II Certification

Planned

Comprehensive third-party audit of our security, availability, and confidentiality controls.

  • • Independent validation of security practices
  • • Annual certification and ongoing compliance
  • • Enterprise customer requirement fulfillment
  • • Trust Services Criteria compliance

NCQA CVO Certification

Planned

National Committee for Quality Assurance Credentials Verification Organization certification.

  • • Healthcare industry-specific accreditation
  • • Primary source verification validation
  • • Quality assurance process certification
  • • Healthcare organization trust and adoption

Questions About Compliance?

Our compliance and security team is available to answer questions about our practices, certifications, and how API-Cert fits into your organization's compliance requirements.

Contact Compliance TeamView Technical Documentation