HIPAA Compliance

Last updated: November 19, 2025

100% HIPAA Compliant

Our Commitment to HIPAA Compliance

MDHex Inc. ("MDHex") is fully committed to protecting the privacy and security of Protected Health Information (PHI). We have implemented comprehensive administrative, physical, and technical safeguards to ensure compliance with HIPAA regulations.

Administrative Safeguards

  • Security Officer: Designated personnel responsible for security policies
  • Risk Assessment: Regular security risk assessments and mitigation
  • Business Associate Agreements: BAAs with all third-party service providers
  • Workforce Training: Security awareness and HIPAA training programs
  • Incident Response: Documented breach notification procedures

Technical Safeguards

  • Access Control: Role-based access with unique user identification
  • Authentication: Mandatory two-factor authentication (TOTP) for all users
  • Encryption: TLS 1.2+ encryption in transit, AES-256 encryption at rest
  • Audit Controls: Comprehensive logging of all PHI access and modifications
  • Automatic Logoff: 30-minute session timeout for inactive users
  • Integrity Controls: Mechanisms to verify PHI has not been improperly altered

Physical Safeguards

  • Cloud Infrastructure: Google Cloud Platform data centers with SOC 2 Type II certification
  • Workstation Security: Policies for secure workstation use and access
  • Device Controls: Policies for hardware and electronic media handling

Business Associate Agreements

We maintain signed Business Associate Agreements (BAAs) with all service providers who may access PHI:

  • Google Cloud Platform - Cloud infrastructure, AI services (BAA signed October 2025)

Audit Logging

All access to PHI is logged with the following information:

  • User identification and timestamp
  • Action performed (view, create, update, delete)
  • Resource accessed (patient ID, record type)
  • IP address and session information
  • Success or failure of the action

Audit logs are retained indefinitely and are immutable (cannot be modified or deleted).

Breach Notification

In the event of a breach involving unsecured PHI, we will:

  • Notify affected individuals within 60 days
  • Notify the HHS Secretary as required
  • Notify media outlets if breach affects more than 500 residents of a state
  • Document and retain records of all breaches

Your Responsibilities

As a user of MDHex, you are responsible for:

  • Protecting your login credentials and 2FA device
  • Logging out when not actively using the application
  • Reporting any suspected security incidents
  • Using the platform only for authorized purposes
  • Ensuring your organization has appropriate policies in place

Contact Us

For questions about our HIPAA compliance or to report a security concern:
Email: admin@mdhex.com

← Back to Home