HIPAA Compliance

MedFlo AI is committed to maintaining the highest standards of data protection and privacy in healthcare. We are fully compliant with the Health Insurance Portability and Accountability Act (HIPAA) and implement comprehensive safeguards to protect Protected Health Information (PHI).

Our HIPAA Commitment

As a Business Associate under HIPAA, we understand our responsibilities in handling PHI and are committed to maintaining compliance with all applicable regulations, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Our AI-powered admissions automation platform processes the following types of PHI:

  • Referral Documents: H&Ps, medication lists, insurance cards, discharge summaries
  • Clinical Data: 47+ extracted fields including diagnoses, oxygen requirements, weight bearing status, medications, therapy needs, dietary restrictions
  • Patient Demographics: Names, dates of birth, contact information
  • Insurance Information: Coverage details, eligibility status, payer information
  • EHR Synchronization Data: Patient records transferred to/from PointClickCare and other EHR systems

Administrative Safeguards

  • Security Management Process: We implement policies and procedures to prevent, detect, contain, and correct security violations
  • Workforce Training: All team members receive comprehensive HIPAA training and ongoing security awareness education
  • Access Control: Role-based access controls ensure that only authorized personnel can access PHI
  • Incident Response: We maintain a documented incident response plan to address any potential security incidents
  • Business Associate Agreements: We execute BAAs with all covered entities and ensure our subcontractors do the same

Physical Safeguards

  • Facility Access Controls: Our data centers employ multi-factor authentication and 24/7 surveillance
  • Workstation Security: All workstations are secured with automatic screen locks and encryption
  • Device Controls: Policies govern the removal and disposal of devices containing PHI
  • Data Center Security: We utilize tier-certified data centers with redundant power, climate control, and physical security

Technical Safeguards

  • Encryption: All PHI is encrypted at rest using AES-256 and in transit using TLS 1.2+
  • Access Controls: Unique user IDs, automatic logoff, and multi-factor authentication protect against unauthorized access
  • Audit Controls: Comprehensive logging and monitoring track all access to and modifications of PHI
  • Transmission Security: Data transmission is secured using industry-standard encryption protocols
  • Integrity Controls: Mechanisms ensure that PHI is not improperly altered or destroyed

Data Protection Measures

Encryption Standards

  • • AES-256 encryption for data at rest
  • • TLS 1.2+ for data in transit
  • • End-to-end encryption for sensitive communications

Access Management

  • • Role-based access control (RBAC)
  • • Multi-factor authentication (MFA)
  • • Principle of least privilege
  • • Regular access reviews and audits

Monitoring & Auditing

  • • 24/7 security monitoring
  • • Comprehensive audit logging
  • • Regular security assessments
  • • Intrusion detection systems

Breach Notification

In the unlikely event of a breach involving PHI, we have established procedures to:

  • Notify affected covered entities within 24 hours of discovery
  • Provide detailed information about the breach
  • Document all breach-related activities
  • Cooperate fully with covered entities in their notification obligations
  • Take immediate steps to mitigate harm

Regular Audits & Assessments

We conduct regular security assessments to ensure ongoing compliance:

  • Annual HIPAA risk assessments
  • Quarterly security audits
  • Continuous vulnerability scanning
  • Regular policy and procedure reviews

Minimum Necessary Standard

We adhere to the minimum necessary standard by ensuring that access to PHI is limited to only what is necessary to accomplish the intended purpose. Our systems enforce this through:

  • Granular permission controls
  • Field-level access restrictions
  • Purpose-based data access policies

Data Retention & Disposal

We maintain PHI only as long as necessary to provide services or as required by law. When PHI is no longer needed:

  • Data is securely deleted using industry-standard methods
  • Physical media is destroyed according to NIST guidelines
  • Deletion is documented and verifiable
  • Backup data is also securely removed

Patient Rights

We support covered entities in fulfilling patient rights under HIPAA, including:

  • Right to access their PHI
  • Right to request amendments
  • Right to an accounting of disclosures
  • Right to request restrictions on use and disclosure

Compliance Certifications

Our commitment to security and compliance is validated through:

  • HIPAA compliance audits
  • 256-bit AES encryption at rest and in transit
  • HL7 FHIR standard adherence for healthcare interoperability
  • Regular third-party security assessments

Business Associate Relationships

We execute Business Associate Agreements (BAAs) with all third-party services that may access or process PHI on our behalf:

  • Firebase (Google Cloud): Authentication services and secure cloud storage
  • PointClickCare: EHR integration for bidirectional patient data synchronization
  • Background Check Providers: NSOPW, state criminal databases, HHS LEIE, Medicaid exclusion services
  • Insurance Verification Services: Real-time eligibility and coverage verification
  • SMS Notification Provider: Patient communication services

All Business Associates are contractually obligated to maintain the same level of HIPAA compliance and PHI protection as MedFlo AI.

Questions About HIPAA Compliance

If you have questions about our HIPAA compliance program or would like to request a Business Associate Agreement, please contact us:

HIPAA Compliance Officer

Email: compliance@medfloai.com

Email: info@medfloai.com