HIPAA Compliance
MedSync is designed from the ground up for HIPAA compliance
✓ HIPAA Compliant · SOC 2 Type II
MedSync processes Protected Health Information (PHI) as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our architecture ensures PHI is protected at every layer.
Technical Safeguards
- Field-level encryption at rest: All PHI columns are encrypted using Fernet (AES-128-CBC + HMAC-SHA256) with PBKDF2-HMAC-SHA256 key derivation at 480,000 iterations — meeting OWASP current guidance.
- PHI redaction before AI processing: Transcripts are stripped of 13 HIPAA Safe Harbor identifier classes before being sent to any external AI service. Identifiers are rehydrated only after processing.
- Audit logging: Every PHI access, modification, export, and deletion is logged with timestamp, user identity, IP address, and user agent — satisfying HIPAA §164.312(b).
- Access controls: JWT-based authentication with 1-hour access tokens, refresh token rotation, and JTI revocation. Tokens stored in memory only, never localStorage.
- Transport security: All data in transit is encrypted via TLS 1.2+. HSTS preload is enforced.
Administrative Safeguards
- Business Associate Agreements (BAA) available upon request
- Workforce access limited to minimum necessary PHI
- Incident response procedures for breach notification
GDPR Compliance
MedSync also complies with the EU General Data Protection Regulation. Data subjects have the right to access (Article 15), erasure (Article 17), and portability (Article 20) of their personal data, all implemented as in-app self-service features.
Request a BAA
Healthcare organizations requiring a Business Associate Agreement can request one by contacting [email protected].
Contact
For compliance-related questions, contact us at [email protected].