HIPAA Compliance · R3 Healthcare Solutions
Back to Home

HIPAA Compliance

Last Updated: October 24, 2025

100% HIPAA Compliant

Our Commitment to HIPAA Compliance

MDHex is designed from the ground up to meet and exceed the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We understand that protecting patient privacy and securing Protected Health Information (PHI) is not just a legal requirement—it's a moral imperative for healthcare technology providers.

This page outlines our comprehensive compliance program and the technical, administrative, and physical safeguards we have implemented to protect your patients' PHI.

HIPAA Compliance Status

Privacy Rule Compliant

Full compliance with HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E)

Security Rule Compliant

Full compliance with HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C)

Breach Notification Compliant

Procedures in place for breach notification as required by 45 CFR Part 164, Subpart D

HITECH Act Compliant

Extended protections and breach notification requirements under the HITECH Act

Technical Safeguards (§164.312)

Encryption (§164.312(a)(2)(iv))

  • Data in Transit: All data encrypted using TLS 1.2+ with strong cipher suites
  • Data at Rest: AES-256 encryption for all stored PHI in database and file storage
  • Infrastructure Encryption: Google Cloud Platform infrastructure-level disk encryption
  • Database Connections: Encrypted PostgreSQL connections with SSL/TLS enforcement

Access Control (§164.312(a)(1))

  • Unique User IDs: Every user has a unique identifier and account
  • Role-Based Access Control (RBAC): Four-tier permission system (Super Admin, Org Admin, Editor, View Only)
  • Two-Factor Authentication: Mandatory TOTP-based 2FA for all users
  • Session Management: 30-minute inactivity timeout with automatic logout
  • Password Requirements: Strong password policies enforced
  • Minimum Necessary: PHI masking by default in admin views

Audit Controls (§164.312(b))

  • Comprehensive Logging: All PHI access and modifications logged
  • Audit Log Retention: Indefinite retention (exceeds 6-year HIPAA minimum)
  • Immutable Logs: Append-only audit trail with no deletion capability
  • User Attribution: All actions attributed to specific user accounts
  • Timestamp Records: Precise timestamps for all audit events
  • Export Capability: CSV export for auditors and compliance reviews

Transmission Security (§164.312(e)(1))

  • HTTPS Only: All web traffic encrypted via HTTPS
  • API Security: Encrypted API communications with authentication
  • Email Security: Gmail API with OAuth 2.0 for secure email delivery
  • No PHI in URLs: PHI never transmitted in query parameters

Administrative Safeguards (§164.308)

Security Management Process (§164.308(a)(1))

  • Risk Assessment: Regular security risk assessments documented
  • Risk Management: Identified risks mitigated through technical controls
  • Sanction Policy: Violations result in account suspension or termination
  • Information System Activity Review: Regular audit log review

Workforce Security (§164.308(a)(3))

  • Authorization: Access granted based on job role and necessity
  • Workforce Clearance: Background checks for personnel with PHI access
  • Termination Procedures: Immediate access revocation upon termination

Business Associate Agreements (§164.308(b))

All subcontractors handling PHI have signed BAAs:

  • Google Cloud Platform: Signed BAA (October 10, 2025) - covers all infrastructure
  • Anthropic (via Google Vertex AI): Covered under Google Cloud BAA

Incident Response (§164.308(a)(6))

  • 24/7 Monitoring: Automated security monitoring and alerts
  • Incident Response Plan: Documented procedures for security incidents
  • Breach Notification: Procedures compliant with HIPAA Breach Notification Rule
  • Forensics: Audit logs preserved for incident investigation

Physical Safeguards (§164.310)

Facility Access Controls (§164.310(a)(1))

  • Cloud Infrastructure: All data hosted on Google Cloud Platform
  • Data Center Security: Google's SOC 2, ISO 27001 certified facilities
  • Physical Access: Multi-layered physical security at GCP data centers
  • Geographic Distribution: Data replicated across multiple availability zones

Workstation Security (§164.310(c))

  • Secure Browsers: Modern browser requirements enforced
  • Screen Lock: Automatic session timeout after 30 minutes
  • No Local Storage: PHI stored only in secure cloud infrastructure

Device and Media Controls (§164.310(d)(1))

  • Secure Disposal: Data wiped using secure deletion on account termination
  • Media Reuse: No physical media used; cloud-only infrastructure
  • Data Backup: Automated encrypted backups with geographic redundancy

Application Security Best Practices

Secure Development

  • Dependency Scanning: Automated scanning with mix deps.audit
  • Security Analysis: Static code analysis with Sobelow
  • GitHub Actions: Automated security scans on every commit
  • Vulnerability Disclosure: Security.md with responsible disclosure process

PHI Protection in Code

  • PHI Sanitization: PhiSanitizer module prevents PHI in application logs
  • Error Handling: ErrorSanitizer prevents PHI exposure in error messages
  • Zero PHI in Jobs: Background jobs store only IDs, never PHI in job arguments
  • Production Logging: Log level set to :info (debug disabled in production)

Organizational Policies

Privacy Policies

  • Privacy Policy: Comprehensive privacy policy available at /legal/privacy
  • Minimum Necessary: Default PHI masking in administrative interfaces
  • User Training: Required security and privacy training for all users

Data Rights

Users have the right to:

  • Access their PHI
  • Request amendments to inaccurate PHI
  • Receive an accounting of PHI disclosures
  • Request restrictions on uses and disclosures
  • File complaints regarding privacy practices

Breach Notification Procedures

In the unlikely event of a breach affecting PHI, we will:

  • Immediate Investigation: Begin forensic investigation within 1 hour
  • Customer Notification: Notify affected customers within 24 hours
  • Individual Notification: Notify affected individuals without unreasonable delay (within 60 days)
  • HHS Notification: Notify HHS as required (within 60 days, or immediately for breaches affecting 500+ individuals)
  • Media Notification: Notify prominent media outlets for breaches affecting 500+ individuals in a jurisdiction
  • Documentation: Maintain complete records of all breach investigations

Compliance Documentation

We maintain comprehensive documentation of our compliance program:

  • Risk Assessment: Annual security risk assessment (HIPAA_COMPLIANCE_PLAN.md)
  • Policies and Procedures: Written policies for all HIPAA requirements
  • Training Records: Documentation of security and privacy training
  • Audit Logs: Complete audit trail with indefinite retention
  • BAA Repository: All Business Associate Agreements on file
  • Incident Response Plan: Documented procedures (SECURITY.md)

Third-Party Audits and Certifications

Our infrastructure providers maintain the following certifications:

  • SOC 2 Type II: Google Cloud Platform
  • ISO 27001: Google Cloud Platform
  • HIPAA Compliant: Google Cloud Platform with signed BAA
  • FedRAMP: Google Cloud Platform (for government customers)

Requesting a Business Associate Agreement

If you are a HIPAA Covered Entity, you must execute a Business Associate Agreement (BAA) with us before using MDHex to process PHI.

To request a BAA:

  1. Email us at compliance@mdhex.com
  2. Include your organization name, contact information, and NPI (if applicable)
  3. We will send you our standard BAA within 1 business day
  4. Review, sign, and return the BAA
  5. We will countersign and provide you with a fully executed copy

BAA execution is required before processing any PHI through the MDHex platform.

Contact Our Compliance Team

MDHex Compliance Office

Privacy Officer: privacy@mdhex.com

Security Officer: security@mdhex.com

Compliance Team: compliance@mdhex.com

Report a Security Incident: security@mdhex.com

(24/7 monitoring - incidents reviewed within 1 hour)