An enterprise solution to protect healthcare data

If you have a question or concern or if you would like to request additional documentation regarding these certifications, email

Privacy and Security in Healthcare

At Phreesia, privacy and security are our top priorities–not boxes to be checked during a once-a-year review. At each and every level of our organization, we foster a culture focused on safeguarding patient data. We’re honored to have those efforts recognized with many of the industry’s most well-known certifications.

HITRUST CSF Certification (2022)

Phreesia achieved HITRUST CSF certification, giving our clients peace of mind that we meet trusted security benchmarks.

Read More >

Payment Card Industry Data Security Standard (PCI-DSS)

As a PCI DSS Level 1 Service Provider, Phreesia is committed to upholding industry security standards for cardholder data.

Read More >

Security Organization Control (SOC) 2 Type 2

Phreesia has completed the SOC 2 Type 2 certification process to evaluate our security, availability and confidentiality protocols.

Read More >

PCI Point-to-Point Encryption (P2PE)

Phreesia’s PCI-validated solution enables healthcare organizations to accept P2PE credit and debit card payments.

Find Phreesia listed under Bluefin Payment systems

Read More >

Please do not send any sensitive personal or health information to this email address. If you are a patient, please contact your healthcare provider directly.

View our responsible disclosure policy.

Responsible Vulnerability Disclosure Policy

This information is intended for security researchers who are interested in reporting vulnerabilities to Phreesia’s security team. For all other issues and inquiries, including sales and client support questions, please visit our Contact Us page.

If you think you have identified a vulnerability on Phreesia’s platform, we ask that you contact us at as soon as possible and refrain from disclosing the issue to other parties until we address it.

When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we’ll work to fix it and release the fix in a timeframe that matches the severity. Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren’t previously aware of the issue.

Responsible Disclosure Guidelines

We require that all security researchers:

  • Use Phreesia’s address to notify us of the vulnerability. We will send instructions for setting up a secure channel to transmit sensitive details, including URLs, screenshots and/or other relevant information.
  • Give Phreesia 30 days to review the submitted issue and respond to your notification. Once we determine an issue is valid, we will notify you with next steps, including public disclosure timelines.
  • Make every effort to maintain the integrity of Phreesia’s data and avoid privacy violations, service disruptions, degradation of user experience and destruction of data during testing.

The following vulnerability categories are of greatest interest to us and should be considered within the acceptable scope for security researchers:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity (XXE) Processing
  • Authentication-related issues
  • Authorization-related issues
  • Data Exposure
  • Redirection Attacks
  • Remote Code Execution

Request a demo

Let us show you how Phreesia provides the modern, convenient healthcare experience your patients want and your staff expect.

If you are a patient trying to check in or cancel an appointment, please contact your healthcare provider's office directly.

En español >

Phreesia cannot accept any sensitive personal or health information. Please contact your healthcare provider directly.

By submitting this form, you agree to Phreesia’s Privacy Policy