HIPAA Compliance Overview

HIPAA Compliant

Business Associate

Zero PHI Storage

🏥 Healthcare-Grade Compliance

MDS Genie is designed from the ground up for HIPAA compliance. As a Business Associate serving healthcare providers, we implement comprehensive safeguards to protect Protected Health Information (PHI) while delivering efficient MDS coding assistance.

Our HIPAA Compliance Approach

✅ Administrative Safeguards

Designated HIPAA Security Officer
Workforce training programs
Access management procedures
Regular risk assessments
Incident response planning

✅ Physical Safeguards

Secure data center facilities
Access controls and monitoring
Workstation security policies
Device and media controls
Equipment disposal procedures

✅ Technical Safeguards

Unique user identification
Automatic logoff controls
Encryption (TLS 1.3, AES-256)
Audit logs and monitoring
Access control systems

Zero PHI Storage Architecture

How We Protect PHI Through Non-Storage

Key Innovation: We process PHI without storing it

📝

Input
Clinical notes entered

🔒

Encrypt
TLS 1.3 transmission

🤖

Process
AI generates codes

📊

Return
MDS results delivered

🗑️

Delete
PHI purged instantly

Business Associate Agreement (BAA)

📄 Required for All Healthcare Customers

As a HIPAA Business Associate, we require a signed BAA before processing any PHI. Our BAA covers:

Permitted uses and disclosures of PHI
Safeguards and security requirements
Breach notification procedures
Subcontractor requirements
Return or destruction of PHI

Request Your BAA

HIPAA Compliance Features

✓

Minimum Necessary Standard

We access only the minimum PHI necessary to generate MDS codes. Clinical notes are processed and immediately discarded, with no long-term access or storage.

✓

Audit Controls

Comprehensive logging of all system access and activities (without PHI). Regular audit reviews ensure compliance and detect any anomalies.

✓

Person or Entity Authentication

Multi-factor authentication, strong password requirements, and session management ensure only authorized users access the system.

✓

Transmission Security

All data transmissions use TLS 1.3 encryption. PHI is encrypted in transit between your browser and our processing systems.

✓

Workforce Training

All team members complete HIPAA training and sign confidentiality agreements. Regular refresher training ensures ongoing compliance.

Risk Assessment & Management

Continuous Risk Management Program

Annual Risk Assessments: Comprehensive evaluation of potential vulnerabilities
Quarterly Reviews: Regular updates to address emerging threats
Penetration Testing: Third-party security assessments
Vulnerability Scanning: Automated security monitoring
Risk Mitigation: Documented plans for identified risks

Breach Notification Procedures

Our Commitment in Case of a Breach:

Immediate Investigation: Rapid response team activation
Containment: Isolate and secure affected systems
Assessment: Determine scope and impact
Notification:
- Covered entities: Within 60 days
- Individuals: As required by law
- HHS: Within 60 days if required
Remediation: Address root cause and strengthen defenses

Note: Our zero-storage architecture significantly reduces breach risk as PHI is never retained in our systems.

Third-Party Compliance

All Our Vendors Are HIPAA Compliant:

Microsoft Azure / OpenAI:
- Signed Business Associate Agreement
- HIPAA-compliant infrastructure
- Zero data retention for our use case
Cloud Infrastructure Provider:
- SOC 2 Type II certified
- HIPAA compliant hosting
- 24/7 security monitoring
Payment Processor (Stripe):
- PCI DSS Level 1 compliant
- No PHI processing
- Secure payment handling

Compliance Documentation

📋 Policies & Procedures

HIPAA Security Policies
Privacy Policies
Incident Response Plan
Workforce Training Materials
Risk Assessment Reports

📊 Regular Assessments

Annual HIPAA Audits
Quarterly Risk Reviews
Monthly Security Scans
Ongoing Compliance Monitoring
Third-Party Assessments

Your Rights Under HIPAA

As a Business Associate, we support your patients' HIPAA rights:

Right to Access: We can provide audit logs of system usage (no PHI stored to access)
Right to Amendment: Not applicable as we don't store PHI
Right to Accounting: We track all processing activities
Right to Restrict: Users control what data is processed
Breach Notification: Rapid notification if required

Frequently Asked Questions

Q: Do you store patient information?

A: No. We process clinical notes to generate MDS codes but never store any patient information. Data is processed and immediately deleted.

Q: Do I need a BAA to use MDS Genie?

A: Yes, if you're a covered entity under HIPAA. We require a signed BAA before processing any PHI.

Q: How do you ensure AI compliance?

A: We have a BAA with Microsoft for Azure OpenAI services, ensuring HIPAA-compliant AI processing with zero data retention.

Q: What happens to my data after processing?

A: Clinical data is automatically purged from memory immediately after MDS codes are generated and returned to you.

Ready to Get Started?

Ensure HIPAA compliance for your facility with MDS Genie

Request Your BAA Today

Questions About HIPAA Compliance?

HIPAA Officer: hipaa@mdsgenie.ai
Security Team: security@mdsgenie.ai
Response Time: Within 24 hours for compliance inquiries