HIPAA & Security

1. HIPAA Compliance

Medellis is designed to help healthcare providers maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA). As a Business Associate, we implement administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

2. Business Associate Agreement

We execute Business Associate Agreements (BAAs) with all covered entity customers. Our BAA outlines our responsibilities for safeguarding PHI and our commitment to HIPAA compliance.

3. Technical Safeguards

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Audit Logging: Comprehensive logging of all PHI access and modifications
• Automatic Session Timeout: Sessions expire after periods of inactivity

4. Physical Safeguards

• Data hosted on secure, compliant cloud infrastructure
• Physical access controls at data center facilities
• Environmental controls for hardware protection

5. Administrative Safeguards

• Regular employee training on HIPAA and security
• Documented security policies and procedures
• Incident response and breach notification procedures
• Regular risk assessments and security audits

6. Third-Party Services

Our AI processing partners are also HIPAA-compliant and have executed BAAs with us. We carefully vet all third-party services that may access PHI.

7. Data Minimization

• Audio recordings auto-deleted after 72 hours
• Only necessary PHI is collected and processed
• De-identification options available for analytics

8. Incident Response

In the event of a security incident or breach, we have documented procedures to:

• Contain and mitigate the incident
• Investigate the root cause
• Notify affected parties within required timeframes
• Document and report as required by HIPAA

9. Security Contact

To report a security concern or request our security documentation, contact our Security Team at security@medellis.com.