Security & Compliance

HIPAA-ready. Built for healthcare scale.

We align with HIPAA and SOC 2 principles across people, process, and technology. Encryption in transit and at rest, role-based access, immutable audit logs, and rigorous change control help protect PHI while keeping your practice productive.

Request BAA / Security Review View Security Model
HIPAA SOC 2-aligned NIST CSF Zero-trust Audit Logging
At-a-glance
  • TLS 1.2+ in transit; AES-256 at rest
  • RBAC & least-privilege IAM
  • Immutable, signed audit logs
  • Backups, DR, and geo redundancy
  • Change management & CI/CD gates
  • Vendor due diligence & BAAs

Foundational Controls

Practical, enforced controls mapped to HIPAA and SOC 2 principles.

Encryption

TLS 1.2+ for data in transit and AES-256 at rest across databases, snapshots, and object storage.

  • TLS-only endpoints; HSTS
  • Key rotation via cloud KMS
  • Secrets externalized (env/ASM)
Identity & Access

Least-privilege IAM, MFA, IP restrictions for admin, fine-grained RBAC in app and infra.

  • Scoped service roles
  • Per-tenant DB access controls
  • Session hardening & auto-rotate
Audit & Monitoring

Immutable, signed audit logs with tamper-evident hashing and retention to meet record-keeping needs.

  • Central log aggregation
  • Alerting on anomalous events
  • Downloadable audit trails
Backups & DR

Automated encrypted backups, PITR, tested restore runbooks, and regional redundancy.

  • Nightly & point-in-time
  • DR playbooks with RTO/RPO
  • Periodic recovery tests
Change Management

Protected branches, code review, CI security checks, controlled deploys with audit trails.

  • PR approvals & sign-offs
  • Static analysis & SCA
  • Infrastructure-as-code
Vendor & BAA

Review of sub-processors, data flow diagrams, and BAAs where required.

  • Risk assessments & DPAs
  • Minimum necessary PHI
  • Annual re-evaluation

Governance & Incident Response

We maintain policies mapped to HIPAA requirements and SOC 2 principles, including access control, change control, business continuity, and incident response.

Role-based policies with periodic training and attestations. Joiners/movers/leavers are handled via documented procedures with just-in-time access.

24/7 monitoring with severity classification, containment, eradication, and postmortems. Customer notification aligned to contractual and regulatory timelines.

Regular dependency updates, automated scanning, patch SLAs by severity, and targeted penetration testing of high-risk surfaces.
Request BAA See Compliance Overview

Data Handling & Intergy

MediChatApp is designed for Greenway Intergy environments. We follow the principle of minimum necessary when processing PHI for communications, check-in, portal, and revenue automation modules.

Data Types

Patient demographics, appointments, messaging content, and optional encounter/charge metadata.

Storage

Encrypted databases and object storage; strict retention with purge workflows.

Transfers

TLS-only, signed requests; IP allowlists for admin endpoints.

Access

RBAC, MFA, granular logs of access events with export capability.

Need something specific for your security review packet? We can provide architecture diagrams, data flow maps, and control mappings under NDA.

Frequently Asked Questions

Answers to common security and compliance questions.

Do you sign BAAs?

Yes. We offer a Business Associate Agreement and review sub-processor BAAs as part of onboarding.

How is PHI secured?

Encryption in transit and at rest, strict RBAC, immutable audit logging, and monitored infrastructure with backup/DR.

Do you support Intergy?

Yes. Our integrations and workflows are built for Greenway Intergy environments with opt-in automations.

Can we get your controls mapped?

We can share HIPAA and SOC 2 principle mappings, plus policy excerpts, under NDA.

Talk to Security
💬 Ask a Question Schedule a meeting