HIPAA Compliance
MedTWIN is designed for HIPAA compliance to protect Protected Health Information (PHI).
Overview
HIPAA (Health Insurance Portability and Accountability Act) sets standards for protecting sensitive patient health information. MedTWIN implements administrative, physical, and technical safeguards as required.
Our Commitment
HIPAA Ready
MedTWIN provides Business Associate Agreements (BAAs) for covered entities handling PHI.
Safeguards
Administrative
- Security Officer: Designated security officer
- Workforce Training: All employees trained on HIPAA
- Risk Assessment: Annual comprehensive assessments
- Incident Response: 24/7 security monitoring
Physical
- Data Centers: SOC 2 certified facilities
- Access Controls: Biometric and badge access
- Surveillance: 24/7 monitoring
- Environmental: Fire suppression, redundant power
Technical
| Control | Implementation |
|---|---|
| Encryption at Rest | AES-256 |
| Encryption in Transit | TLS 1.3 |
| Access Controls | RBAC with MFA |
| Audit Logging | Complete activity logs |
| Session Timeout | 15-minute inactivity |
Business Associate Agreement
What's Covered
Our BAA includes:
- Permitted uses of PHI
- Safeguard requirements
- Breach notification procedures
- Subcontractor requirements
- Data return/destruction
Requesting a BAA
- Subscribe to Professional or Enterprise plan
- Contact hipaa@medtwin.ai
- Provide your organization details
- Sign via DocuSign (typically 2-3 business days)
Data Handling
Minimum Necessary
We only access PHI when:
- Required to provide services
- Authorized by your BAA
- Necessary for troubleshooting (with your consent)
Data Retention
| Data Type | Retention |
|---|---|
| Research data | Your configured period |
| Audit logs | 6 years minimum |
| Account data | Until deletion + 30 days |
Data Destruction
On request or account termination:
- Data securely deleted within 30 days
- Cryptographic erasure applied
- Certificate of destruction available
Audit Controls
What We Log
- All access to PHI
- User authentication events
- Data modifications
- API requests
- System events
Log Protection
- Write-once storage
- Cryptographic integrity
- 6-year retention
- Tamper-evident
Breach Notification
In the event of a breach:
- Detection: 24/7 monitoring
- Investigation: Within 24 hours
- Notification: Within 24 hours to covered entity
- Documentation: Complete incident report
Compliance Verification
SOC 2 Type II
- Annual audit by third party
- Report available under NDA
- Covers security, availability, confidentiality
Penetration Testing
- Annual testing by qualified firm
- Remediation within 30 days
- Summary available on request
Your Responsibilities
As a covered entity, you must:
- Sign a BAA before uploading PHI
- Train your users on proper data handling
- Report suspected breaches promptly
- Comply with your own HIPAA policies
Contact
- HIPAA Privacy Officer: hipaa@medtwin.ai
- Security Team: security@medtwin.ai
- BAA Requests: enterprise@medtwin.ai