Security & HIPAA Compliance
HIPAA Compliant
SOC 2 Type II (In Progress)
Zero PHI Storage
🛡️ Our Security Promise
MDS Genie operates on a "Zero PHI Storage" architecture. We process clinical notes to generate MDS assessments but never store patient health information. Your sensitive data is processed in real-time and immediately discarded, minimizing risk and ensuring maximum privacy protection.
Zero PHI Storage Architecture
Data Flow Architecture
Clinical Note Input → [Encrypted Transmission] → Azure OpenAI Processing → MDS Results → [Encrypted Response] → Your Browser
✓ NO data stored at any point
How "Zero PHI Storage" Works:
- Input: You paste clinical notes into our secure interface
- Processing: Data is encrypted and sent directly to Azure OpenAI
- Results: MDS codes are generated and returned immediately
- Deletion: All patient data is purged from memory instantly
- Storage: We only store your account info and usage metrics - never PHI
Technical Security Measures
🔐
Encryption
TLS 1.3 in transit
AES-256 at rest
End-to-end encryption
🔑
Access Control
Multi-factor authentication
Role-based permissions
Session management
📊
Audit Logging
Comprehensive access logs
Activity monitoring
No PHI in logs
🛡️
Infrastructure
HIPAA-compliant hosting
DDoS protection
24/7 monitoring
HIPAA Compliance Framework
Administrative Safeguards
- Designated HIPAA Security Officer
- Workforce training and access management
- Regular risk assessments and audits
- Incident response procedures
- Business Associate Agreements (BAAs) with all vendors
Physical Safeguards
- Secure data center facilities (SOC 2 certified)
- Access controls and monitoring
- Secure equipment disposal procedures
- Workstation security policies
Technical Safeguards
- Unique user identification and authentication
- Automatic logoff and encryption
- Audit controls and integrity monitoring
- Transmission security with TLS 1.3
- Access control and authorization systems
Third-Party Security
Our Infrastructure Partners
All third-party services we use are HIPAA compliant and have signed Business Associate Agreements:
- Microsoft Azure / OpenAI: HIPAA-compliant AI processing
- Cloud Infrastructure: SOC 2, ISO 27001, HIPAA certified
- Payment Processing (Stripe): PCI DSS Level 1 compliant
Security Incident Response
⚡ Rapid Response Protocol
In the unlikely event of a security incident:
- Detection: 24/7 automated monitoring and alerting
- Containment: Immediate isolation of affected systems
- Investigation: Forensic analysis and root cause determination
- Notification: Within 60 days to affected parties (HIPAA requirement)
- Remediation: System hardening and process improvements
Compliance Certifications & Audits
Current Status
- ✅ HIPAA Compliant Architecture
- ✅ Business Associate Agreements in place
- 🔄 SOC 2 Type II audit in progress (Q2 2025)
- 🔄 Annual third-party security assessments
Security Best Practices for Users
We Recommend:
- Use strong, unique passwords (minimum 12 characters)
- Enable two-factor authentication on your account
- Access MDS Genie only from secure networks
- Log out when finished with your session
- Never share your login credentials
- Report any suspicious activity immediately
Data Residency & Sovereignty
- All data processing occurs in US-based data centers
- No international data transfers for PHI processing
- Compliance with state-specific privacy laws (CCPA, etc.)
- Data subject rights fully supported
Regular Security Updates
Continuous Improvement
- Weekly: Security patch updates
- Monthly: Vulnerability assessments
- Quarterly: Penetration testing
- Annually: Third-party security audit
Questions About Security?
🔒 Your Trust is Our Priority
We understand that healthcare data requires the highest level of protection. Our zero-storage architecture, combined with comprehensive security measures and continuous monitoring, ensures your data remains secure while providing the efficiency benefits of AI-powered MDS generation.
Privacy Policy |
Terms of Service |
Contact Security Team