NewWe now read the actual MRI and CT imaging — not just the radiologist's one-page report. See how →
Trust & compliance

HIPAA compliance

Medrecords AI is built for protected health information (PHI) from the ground up: encrypted, access-controlled, and fully auditable, with human judgment always in the loop.

Compliance status, stated plainly: SOC 2 Type II is audit-ready, not yet a completed certification. ISO 27701 and ISO 42001 are on our roadmap and are not yet held. We won't claim otherwise; ask us for current status any time.

What we do to protect PHI.

HIPAA compliance isn't a checkbox. It's controls that hold up under a security review. Here's what's actually built into the platform today.

Encryption in transit and at rest

Every record is encrypted with TLS 1.2+ in transit and AES-256 at rest. PHI is never sent or stored unencrypted.

Case-level, HIPAA-minimal access

Access follows the minimum-necessary standard: people see only the cases they're assigned to, nothing more.

PHI audit logging

Every PHI access event is logged and auditable: who viewed what, and when, on record.

Secure sessions

Authentication uses JWT/PASETO tokens with strict expiry and validation, not loosely-scoped, long-lived sessions.

SOC 2 Type II, audit-ready

Controls documentation and evidence packages are in place and audit-ready. This is not yet a completed SOC 2 certification.

Never used to train AI models

Your records never leave your control and are never used to train any AI model, ours or anyone else's.

Your records never leave your control and are never used to train any AI model.

Need a Business Associate Agreement?

A BAA is available for covered entities and business associates working with Medrecords AI. Tell us about your organization and we'll get the right paperwork moving.

Request a BAA →

Want the full picture?

HIPAA is one part of how Medrecords AI handles PHI. See the full trust center for encryption, access control, sub-processors, and our DPA process.

Visit the Security & Trust Center →