Compliance · HIPAA
How MedIQ maps to the HIPAA Security Rule.
This page is a plain-English summary intended for prospective customers and their security reviewers. It is not legal advice. Customers remain responsible for their own compliance posture.
| Area | Safeguard | How MedIQ addresses it |
|---|---|---|
| Administrative | Security Management Process | Documented risk analysis, written policies, sanction policy, periodic information system activity review. |
| Administrative | Workforce Security & Training | Background checks, role-based access, annual HIPAA training, signed acceptable-use policy. |
| Administrative | Information Access Management | Least-privilege roles enforced in app and database; access reviews quarterly. |
| Administrative | Contingency Plan | Documented backup, DR, and emergency-mode operation plans; tested restore drills. |
| Administrative | Business Associate Contracts | Standard BAA with every covered-entity customer; signed BAAs with all PHI-touching sub-processors. |
| Physical | Facility Access Controls | PHI lives only in HIPAA-eligible cloud regions with physical controls audited by the provider (SOC 2). |
| Physical | Workstation & Device Security | Workforce devices managed via MDM, full-disk encryption, screen lock, and remote wipe. |
| Technical | Access Control | Unique user IDs, mandatory MFA, automatic logoff, role-based authorization, server-side checks on every mutation. |
| Technical | Audit Controls | Append-only audit log of access and changes; per-tenant scoping; queryable for breach investigations. |
| Technical | Integrity | Database constraints + application validation + AES-256-GCM auth tags on encrypted secrets. |
| Technical | Transmission Security | TLS 1.2+ enforced end-to-end; HSTS; modern cipher suites only. |
| Breach | Notification | Documented incident response with 60-day breach notification window; customer-facing comms templates ready. |
Minimum necessary, by default
PHI never leaves your tenant in plaintext.
AI prompts are de-identified before transmission. We log the input hash, model version, and outcome — never the patient name, MRN, or note body.
Sub-processors
A short, audited list.
We publish our sub-processor list under NDA. Today it includes our cloud provider, our managed Postgres provider, and your chosen LLM provider (you bring the key).
Reviewing us for your security team?
We can share the security overview, BAA, sub-processor list, and SOC 2 progress under NDA.