HIPAA compliance
Medrecords AI is built for protected health information (PHI) from the ground up: encrypted, access-controlled, and fully auditable, with human judgment always in the loop.
Compliance status, stated plainly: SOC 2 Type II is audit-ready, not yet a completed certification. ISO 27701 and ISO 42001 are on our roadmap and are not yet held. We won't claim otherwise; ask us for current status any time.
What we do to protect PHI.
HIPAA compliance isn't a checkbox. It's controls that hold up under a security review. Here's what's actually built into the platform today.
Encryption in transit and at rest
Every record is encrypted with TLS 1.2+ in transit and AES-256 at rest. PHI is never sent or stored unencrypted.
Case-level, HIPAA-minimal access
Access follows the minimum-necessary standard: people see only the cases they're assigned to, nothing more.
PHI audit logging
Every PHI access event is logged and auditable: who viewed what, and when, on record.
Secure sessions
Authentication uses JWT/PASETO tokens with strict expiry and validation, not loosely-scoped, long-lived sessions.
SOC 2 Type II, audit-ready
Controls documentation and evidence packages are in place and audit-ready. This is not yet a completed SOC 2 certification.
Never used to train AI models
Your records never leave your control and are never used to train any AI model, ours or anyone else's.
Your records never leave your control and are never used to train any AI model.
Need a Business Associate Agreement?
A BAA is available for covered entities and business associates working with Medrecords AI. Tell us about your organization and we'll get the right paperwork moving.
Want the full picture?
HIPAA is one part of how Medrecords AI handles PHI. See the full trust center for encryption, access control, sub-processors, and our DPA process.