HIPAA Compliance

Medisphere is built from the ground up to protect patient privacy and meet every requirement of the Health Insurance Portability and Accountability Act.

HIPAA CompliantSOC 2 Type IIAES-256 EncryptedBAA Ready
What Is HIPAA?PHI ProtectionSecurity SafeguardsBusiness AssociatesPatient RightsBreach Notification

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, and clearinghouses) and their business associates — including software platforms like Medisphere.

HIPAA is enforced by the US Department of Health & Human Services (HHS) Office for Civil Rights. Non-compliance can result in civil penalties up to $1.9 million per violation category per year, and criminal charges for wilful neglect.

Protected Health Information (PHI)

PHI is any individually identifiable health information transmitted or maintained in any form. Medisphere handles the following HIPAA identifiers — all of which receive the highest level of protection:

Patient names
Dates (DOB, admission, discharge)
Geographic identifiers
Phone & fax numbers
Email addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/licence numbers
IP addresses
Device identifiers
URLs
Biometric identifiers
Photographic images
Diagnoses & treatment records

All PHI stored in Medisphere is encrypted at rest and in transit and is never used for any purpose beyond delivering care.

Security Safeguards

HIPAA's Security Rule requires three categories of safeguards. Here is how Medisphere meets each one:

Administrative Safeguards
  • Designated Security Officer and Privacy Officer roles with documented responsibilities.
  • Annual HIPAA training for all Medisphere staff with access to PHI.
  • Formal risk analysis and risk management program updated annually.
  • Access authorisation policies — principle of least privilege enforced throughout.
  • Incident response and breach notification plan tested quarterly.
Physical Safeguards
  • Data centres with multi-factor physical access controls, CCTV monitoring, and 24/7 security staff.
  • SOC 2 Type II certified infrastructure providers.
  • Workstation use and security policies for all employees handling PHI.
  • Hardware and media controls with documented disposal procedures.
Technical Safeguards
  • AES-256 encryption for all PHI stored at rest.
  • TLS 1.3 for all PHI transmitted between users and servers.
  • Role-based access control (RBAC) — clinicians see only their own patients' records.
  • Automatic session expiry and workstation lock after configurable inactivity.
  • Comprehensive audit logs capturing every read, write, and delete of PHI.
  • Intrusion detection and real-time security monitoring.
  • Regular vulnerability assessments and annual third-party penetration testing.

Business Associate Agreements (BAAs)

HIPAA requires covered entities to execute a Business Associate Agreement with every vendor that creates, receives, maintains, or transmits PHI on their behalf. Medisphere functions as a Business Associate for all clinical customers.

  • A BAA is available for all paid subscription plans.
  • The BAA covers all PHI processed through the Medisphere platform.
  • We execute BAAs with our own sub-processors (cloud infrastructure, email delivery).
  • BAA requests are handled within 2 business days — contact legal@medisphere.com.

Enterprise and clinic plan customers may request a customised BAA through their account manager.

Patient Rights Under HIPAA

HIPAA grants patients the following rights over their health information. Medisphere provides tools for covered entities to fulfil these obligations:

  • Right of Access — patients can request a copy of their medical records within 30 days.
  • Right to Amend — patients can request corrections to inaccurate PHI.
  • Right to an Accounting of Disclosures — patients can request a list of PHI disclosures made in the past 6 years.
  • Right to Request Restrictions — patients can request limits on how their PHI is used.
  • Right to Confidential Communications — patients can request PHI be communicated via alternative means.
  • Right to Complain — patients may file complaints with HHS OCR without fear of retaliation.

Breach Notification

In the unlikely event of a security breach involving PHI, Medisphere follows the HIPAA Breach Notification Rule:

  • Affected covered entities are notified without unreasonable delay, and no later than 60 calendar days after discovery.
  • Notification includes: nature of the breach, PHI involved, steps patients should take, steps Medisphere is taking, and contact information.
  • If a breach affects 500 or more individuals in a state, HHS and prominent media outlets are also notified.
  • All breaches — regardless of size — are logged in Medisphere's internal breach register.

To report a suspected security incident immediately, contact security@medisphere.com.

Ready to get your BAA signed?

Contact our compliance team and we'll have it ready within 2 business days.

Request a BAAContact Support