HIPAA Compliance

1. Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA consists of several key rules:

• Privacy Rule: Establishes standards for the protection of individually identifiable health information
• Security Rule: Sets standards for securing electronic Protected Health Information (ePHI)
• Breach Notification Rule: Requires notification following a breach of unsecured PHI
• Enforcement Rule: Contains provisions relating to compliance and penalties
• Omnibus Rule: Implements HITECH Act provisions and strengthens privacy and security protections

2. MedCrypt's Role as a Business Associate

Under HIPAA, MedCrypt operates as a Business Associate to healthcare providers (Covered Entities) who use our platform. This means we:

• Create, receive, maintain, or transmit PHI on behalf of healthcare providers
• Are directly liable for compliance with applicable HIPAA requirements
• Must enter into Business Associate Agreements (BAAs) with all covered entities
• Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report any security incidents or breaches to covered entities

3. Administrative Safeguards

We implement comprehensive administrative policies and procedures to manage the selection, development, implementation, and maintenance of security measures:

Key Administrative Controls:

• Security Officer: Designated security official responsible for HIPAA compliance
• Workforce Clearance: Background checks and access authorization procedures
• Termination Procedures: Immediate access revocation upon employee termination
• Security Awareness: Ongoing security awareness and training programs
• Incident Response: Documented procedures for responding to security incidents
• Contingency Planning: Data backup, disaster recovery, and emergency operations plans

4. Physical Safeguards

Our infrastructure is hosted on enterprise-grade cloud platforms with comprehensive physical security measures:

Infrastructure Partners:

• Supabase: SOC 2 Type II compliant PostgreSQL database hosting with encryption at rest
• Vercel: SOC 2 Type II certified edge network with global data centers
• OpenAI: Enterprise-grade API with data processing agreements for AI features
• Google Cloud: HIPAA-eligible services for calendar and video conferencing integration

5. Technical Safeguards

We implement robust technical controls to protect ePHI from unauthorized access:

Security Features:

• Access Control: Unique user identification with automatic session timeout
• Automatic Logoff: Configurable inactivity timeout (default: 15 minutes)
• Transmission Security: All data transmitted over HTTPS with TLS 1.3
• Audit Logging: Immutable logs of all PHI access, modifications, and deletions
• Rate Limiting: Protection against brute force and denial of service attacks
• Password Security: Secure hashing (bcrypt), complexity requirements, and breach detection
• Data Backup: Automated daily backups with point-in-time recovery capabilities

6. Breach Notification Procedures

In the event of a breach of unsecured PHI, MedCrypt follows strict notification procedures in compliance with the HIPAA Breach Notification Rule:

Our Breach Response Includes:

• Immediate containment and remediation of the security incident
• Thorough investigation to determine the scope and cause
• Risk assessment to evaluate potential harm to affected individuals
• Notification to covered entities with details of the breach
• Cooperation with covered entities on individual notifications
• Documentation and reporting to HHS as required
• Post-incident analysis and implementation of preventive measures

7. Patient Rights Under HIPAA

HIPAA grants patients specific rights regarding their health information. MedCrypt's platform enables healthcare providers to fulfill these obligations:

• Right to Access: Patients can request copies of their medical records. Our platform supports data export in multiple formats (PDF, CSV, JSON).
• Right to Amendment: Patients can request corrections to their records. The platform maintains an audit trail of all amendments.
• Right to Accounting of Disclosures: Patients can request a list of disclosures. Our audit logs track all access to PHI.
• Right to Request Restrictions: Patients can request restrictions on certain uses or disclosures of their information.
• Right to Confidential Communications: Patients can request alternative means or locations for receiving communications.
• Right to Notice: Patients have the right to receive a notice of privacy practices from their healthcare provider.

8. PHI Data Handling

8.1 Minimum Necessary Standard

We adhere to the HIPAA minimum necessary standard, ensuring that access to and disclosure of PHI is limited to the minimum amount necessary to accomplish the intended purpose.

8.2 Data Retention

PHI is retained in accordance with applicable laws and professional requirements:

• Active accounts: Data retained as long as the account is active
• Account deletion: Data securely deleted within 30 days of account closure
• Legal requirements: Some data may be retained longer if required by law

8.3 Data Disposal

When PHI is no longer needed, it is securely disposed of using methods that render the information unreadable and unrecoverable. This includes cryptographic erasure for electronic data and secure deletion from all backup systems.

9. AI Features and PHI

MedCrypt uses AI-powered features for prescription OCR, medical insights, and clinical decision support. We handle PHI in AI processing with strict safeguards:

• Data Processing Agreements: We have appropriate agreements with AI service providers
• No Training on Your Data: Your PHI is never used to train AI models
• Encrypted Transmission: All data sent to AI services is encrypted in transit
• Minimal Data Exposure: Only necessary data is processed; results are immediately returned
• No Data Retention by AI: AI providers do not retain PHI after processing
• Audit Logging: All AI interactions involving PHI are logged

10. Compliance Verification

We regularly verify and maintain our HIPAA compliance through:

• Annual Risk Assessments: Comprehensive evaluation of potential risks to PHI
• Penetration Testing: Regular security testing by qualified professionals
• Vulnerability Scanning: Automated scans for security vulnerabilities
• Policy Reviews: Annual review and update of security policies
• Training Updates: Regular refresher training for all team members
• Third-Party Audits: Independent assessments of our security controls

11. Contact Our Privacy Officer

For questions about HIPAA compliance, to request a Business Associate Agreement, or to report a privacy concern:

12. Related Documents