📋 Our Commitment

MedConnect Pro ("the Platform") is committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable federal and state regulations governing the protection of electronic Protected Health Information (ePHI).

As a Business Associate, we enter into a Business Associate Agreement (BAA) with every customer. The BAA is included at no additional cost with every MedConnect Pro plan.

🔒 Administrative Safeguards

  • Security Officer: A designated security officer oversees HIPAA compliance and security policies
  • Risk Assessment: Regular risk assessments identify and address potential vulnerabilities
  • Workforce Training: All personnel with access to ePHI receive HIPAA training
  • Incident Response: Documented procedures for identifying, responding to, and reporting security incidents and breaches
  • Access Management: Role-based access controls ensure employees access only the minimum necessary information
  • Business Associate Agreements: BAAs are executed with all subcontractors and service providers who handle ePHI

🏢 Physical Safeguards

  • Data Center Security: Infrastructure hosted in SOC 2 Type II certified data centers with 24/7 physical security
  • Access Controls: Data centers employ biometric access, security cameras, and controlled entry
  • Device Management: Policies for workstation use, mobile devices, and media disposal
  • Environmental Controls: Redundant power, climate control, and fire suppression systems

🔐 Technical Safeguards

  • Encryption at Rest: AES-256 encryption for all ePHI stored in databases and file systems
  • Encryption in Transit: TLS 1.2+ for all data transmission with HSTS preload
  • Access Control: Unique user identification, multi-factor authentication, and automatic logoff after inactivity
  • Audit Controls: Comprehensive logging of all access to ePHI with PHI-safe sanitization to prevent sensitive data in logs
  • Integrity Controls: Mechanisms to verify ePHI has not been altered or destroyed without authorization
  • Content Security Policy: Strict CSP headers with no unsafe-eval to prevent cross-site scripting attacks
  • Input Sanitization: All user input sanitized to prevent script injection including HTML-entity-encoded attack vectors
  • Tenant Data Isolation: Multi-tenant architecture with strict data isolation — queries scoped by tenant ID with middleware enforcement

🗑 Data Retention & Disposal

  • PHI Retention: Minimum 7-year retention from last patient encounter per HIPAA requirements
  • Audit Log Retention: Minimum 6-year retention for all audit logs
  • ID Verification Photos: Automatically deleted after 90 days (verification records are retained)
  • Secure Disposal: When data is purged, it is securely destroyed with proof of disposal maintained in audit logs
  • Per-Patient Tracking: Each patient record tracks the last medical encounter date and PHI retention deadline individually

🛒 Storefront Data Handling

When the optional Storefront e-commerce add-on is used, customer data that becomes patient data (through the consultation flow) is handled under the same HIPAA protections:

  • Customer data synced from the Storefront to the Platform is treated as ePHI once a consultation is created
  • The Storefront-to-Platform API communication is encrypted in transit and authenticated with scoped API tokens
  • Payment data is handled securely and raw card numbers are never stored on Platform servers
  • The BAA covers all data flows between the Storefront and Platform

🚨 Breach Notification

In the event of a breach of unsecured ePHI, MedConnect Pro will:

  • Notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery
  • Provide all information required for the Covered Entity to fulfill its breach notification obligations
  • Cooperate fully with any investigation and remediation efforts
  • Maintain documentation of all breach incidents and notifications for a minimum of 6 years

📧 Questions

For questions about our HIPAA compliance, to request a copy of our BAA, or to report a potential security concern, please contact us:

HIPAA Compliance Team: compliance@medconnectpro.com

Last updated: April 2026