HIPAA Compliance

1. Overview

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for the protection of sensitive patient health information. As a technology provider serving healthcare organizations and researchers, MedTWIN AI operates as a Business Associate under HIPAA.

This page outlines our commitment to HIPAA compliance and the safeguards we implement to protect PHI.

2. Our Compliance Framework

3. Business Associate Agreement (BAA)

MedTWIN AI provides Business Associate Agreements to covered entities and their business associates who require HIPAA compliance. Our BAA includes:

• Permitted uses and disclosures of PHI
• Safeguards we implement to prevent unauthorized use
• Breach notification procedures and timelines
• Subcontractor requirements and accountability
• Return or destruction of PHI upon termination
• Audit rights and compliance verification

4. Technical Security Controls

4.1 Encryption

• Data at Rest: AES-256 encryption for all stored PHI
• Data in Transit: TLS 1.3 for all network communications
• Key Management: Hardware Security Modules (HSM) for encryption key storage
• Database Encryption: Transparent Data Encryption (TDE) enabled

4.2 Access Controls

• Authentication: Multi-factor authentication required for all accounts
• Authorization: Role-based access control (RBAC) with principle of least privilege
• Session Management: Automatic timeout after 15 minutes of inactivity
• Password Policy: Strong password requirements with regular rotation

4.3 Audit Controls

• Comprehensive Logging: All access to PHI is logged with user, timestamp, and action
• Tamper-Proof Logs: Audit logs are write-once and cryptographically protected
• Retention: Audit logs retained for minimum 6 years
• Monitoring: Real-time alerts for suspicious access patterns

4.4 Transmission Security

• Network Isolation: PHI processing in dedicated VPC with no public internet access
• API Security: All API endpoints require authentication and use HTTPS
• Firewall Rules: Strict ingress/egress rules with default-deny policy

5. Administrative Safeguards

5.1 Security Officer

MedTWIN AI has designated a Security Officer responsible for:

• Developing and implementing security policies
• Conducting regular risk assessments
• Managing security incidents
• Ensuring workforce compliance

5.2 Workforce Training

• All employees complete HIPAA training upon hiring
• Annual refresher training required
• Role-specific security training for developers and operations
• Documented training records maintained

5.3 Risk Assessment

• Annual comprehensive risk assessment
• Continuous vulnerability scanning
• Regular penetration testing by third parties
• Risk mitigation tracking and documentation

6. Physical Safeguards

Our infrastructure is hosted in HIPAA-compliant data centers with:

• Facility Access: Biometric access controls, 24/7 security personnel
• Surveillance: CCTV monitoring with 90-day retention
• Environmental: Fire suppression, climate control, redundant power
• Hardware Security: Secure disposal procedures for storage media

7. Incident Response & Breach Notification

7.1 Incident Response

Our incident response plan includes:

• 24/7 security monitoring and alerting
• Defined escalation procedures
• Incident classification and severity levels
• Containment, eradication, and recovery procedures
• Post-incident analysis and documentation

7.2 Breach Notification

In the event of a breach involving PHI:

• We will notify affected covered entities within 24 hours of discovery
• We will provide all information needed for their breach assessment
• We will cooperate fully with investigation and remediation
• We maintain breach documentation as required by HIPAA

8. Subcontractors

We require all subcontractors who may access PHI to:

• Sign Business Associate Agreements
• Demonstrate HIPAA compliance
• Implement appropriate safeguards
• Report security incidents promptly

Key subcontractors include:

• AWS: HIPAA-eligible cloud infrastructure (BAA in place)
• Database providers: Encrypted, compliant data storage
• Monitoring services: No PHI access, security monitoring only

9. Patient Rights

We support covered entities in fulfilling patient rights under HIPAA:

• Access: Ability to export patient data in standard formats
• Amendment: Capability to modify records with audit trail
• Accounting: Complete disclosure logs available on request
• Restrictions: Support for patient-requested restrictions

10. Data Handling

10.1 Minimum Necessary

We implement the minimum necessary standard by:

• Limiting access to PHI to authorized personnel only
• Using role-based access with specific data permissions
• De-identifying data where full PHI is not required

10.2 Data Retention & Destruction

• PHI retained according to customer requirements and legal obligations
• Secure deletion using cryptographic erasure
• Certificate of destruction available upon request
• Backup data included in retention/destruction policies

11. Compliance Verification

We demonstrate compliance through:

• Annual Audits: Third-party security assessments
• SOC 2 Type II: Report available under NDA
• Penetration Testing: Annual third-party testing with remediation
• Vulnerability Assessments: Continuous scanning and patching

12. Contact Information

For HIPAA-related inquiries:

• HIPAA Privacy Officer: hipaa@medtwin.ai
• Security Team: security@medtwin.ai
• BAA Requests: enterprise@medtwin.ai

For security incidents, please contact us immediately at security@medtwin.ai with "URGENT: Security Incident" in the subject line.