As a Software-as-a-Service (SaaS) vendor, Tebra offers independent healthcare practices a secure platform to manage their services and sensitive documentation, including electronic- protected health information (ePHI) data. Changes to the medical field are not only impacting the way doctors practice medicine, but also requiring providers to do more to protect patient data.
Tebra is dedicated to helping doctors build an industry-leading security program to ensure all patient data is safe and protected.

Security at Tebra

Tebra’s commitment to security includes housing all services on a highly secure and controlled platform in our private and public cloud data centers. To ensure a top level of security, Tebra implements the best practice security frameworks, using both in-house and third-party tools and services. The company also keeps current on industry certifications and independent third-party attestations, or verifications, which are described on this page. This page was created to assist customers in understanding the security controls in place and how those controls have been validated.


Third-party Security Audits

Third-party attestations and certifications of Tebra provide rigorous validation of the control environment. By knowing their data is secure, customers can focus more on their practices and patients. Since Tebra is subject to various internal and external risk assessments, Tebra’s compliance and security teams have established an information security framework and policies based on:

  • Health Information Trust Alliance (HITRUST) Common Security Framework
  • AICPA Trust Criteria Security, Confidentiality and Availability
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework

Tebra Certifications and Third-Party Attestations

Tebra engages external certifying bodies and independent auditors to ensure our information security policies, processes, and controls align with security frameworks to meet or exceed applicable regulatory requirements.


Tebra enables covered entities, which includes their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA), to leverage the secure Tebra work environment to process, maintain, and store protected health information. Through our business associate agreement, Tebra commits to maintaining the highest levels of HIPAA-compliant safeguards


The HITRUST CSF is a security framework that incorporates and leverages many existing security requirements organizations must comply with. This includes federal requirements such as HIPAA, state requirements, and third-party requirements such as PCI and COBIT. It also includes requirements of other governmental agencies such as NIST, FTC, and CMS.


Tebra has obtained a service auditor’s examination report, which includes an opinion on the suitability of the design and operating effectiveness of the controls based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Principles and Criteria (TPA Section 100). These controls are related to security, availability, and confidentiality.


Tebra engages independent auditors to perform  annual audits under the Payment Card Industry (PCI) Data Security Standard (DSS) for the handling of credit card information through Tebra Payments. Tebra regularly performs self-assessments of PCI DSS compliance for credit card processes related to customer software subscription payments to Tebra.


Current customers can request a copy of our current security attestations or certification reports by emailing our team at [email protected] and including their account name and number.