HIPAA compliant
by design
Security isn't an add-on. It's the foundation. Every feature in MedAgento is built with patient privacy and regulatory compliance at its core.
AES-256
Encryption
7 years
Audit retention
Free BAA
All plans
SOC 2
Certified infra
How we protect patient data
Six layers of protection that safeguard every piece of PHI in MedAgento.
Encryption
All data encrypted at rest (AES-256) and in transit (TLS 1.3). Database-level encryption with customer-managed keys available for Enterprise plans.
Audit Trail
Every access to PHI is logged with user identity, timestamp, action, and resource. Audit logs are immutable and retained for 7 years.
Access Controls
Role-based access (doctor, staff, patient, admin) with per-object ACLs. Principle of least privilege enforced across the entire platform.
BAA Available
We sign Business Associate Agreements with all covered entities. Our BAA covers all subprocessors: hosting, email, payments. Executed within 24 hours.
Infrastructure
Hosted on SOC 2 Type II certified infrastructure. Regular penetration testing, vulnerability scanning, and documented incident response procedures.
Employee Training
All team members complete annual HIPAA training. Background checks required. Access to production data limited to essential personnel only.
Technical Safeguards
Administrative Safeguards
Empowering patients with their data
HIPAA grants patients specific rights over their health information. MedAgento supports every one of them directly through the platform.
Right of Access
Patients can view and download their complete health records through the patient portal.
Right to Amend
Patients can request corrections to their health information directly through their account.
Accounting of Disclosures
Full audit trail of who accessed their records, when, and why, available on request.
Right to Restrict
Patients can request restrictions on how their information is used and disclosed.
Incident Response
In the unlikely event of a security incident, MedAgento follows a documented response plan to minimize impact and ensure full transparency.
Detection & Containment
Automated monitoring detects anomalies. Affected systems are isolated within minutes.
Notification
Covered entities are notified within 24 hours. Full cooperation with breach investigation.
Remediation
Root cause analysis, system hardening, and updated procedures to prevent recurrence.
HIPAA compliance questions
Common questions about our security and compliance practices.
Is MedAgento HIPAA compliant?
Yes. MedAgento is fully HIPAA compliant with end-to-end encryption, role-based access controls, comprehensive audit logging, and BAA agreements available for all plans at no additional cost.
Do you sign a Business Associate Agreement (BAA)?
Yes. We sign BAAs with all covered entities. Our BAA covers all subprocessors including hosting, email, and payment processing. We can execute a BAA within 24 hours of request.
How long are audit logs retained?
Audit logs are retained for 7 years in immutable storage. They include user identity, timestamp, action performed, resource accessed, and IP address for every PHI access event.
What happens in case of a data breach?
MedAgento has a documented incident response plan. In the event of a breach, affected covered entities are notified within 24 hours, and we provide full cooperation with breach investigation and HHS notification requirements.
Can patients access their own health information?
Yes. Patients can access, download, and request amendments to their health information through the MedAgento patient portal, in compliance with the HIPAA Right of Access.
Do you support SOC 2 compliance?
MedAgento is hosted on SOC 2 Type II certified infrastructure. We can provide our SOC 2 report and security documentation upon request under NDA.
Questions about compliance?
Our Security and Privacy teams are available to answer questions, provide documentation, and execute BAAs.
Ready to modernize your practice?
Start your 14-day free trial. HIPAA compliant from day one. BAA available for all plans.