HIPAA Compliance & Security
Enterprise-grade security protecting every piece of patient data
Our Commitment
ProfixMed AI Medical Scribe is designed from the ground up for healthcare. We understand that protecting patient information isn't just a legal requirement - it's a fundamental responsibility. Every feature we build starts with security and privacy at its core.
Encryption Everywhere
Data at Rest
- ✓AES-256-GCM encryption (bank-grade standard)
- ✓Patient names, MRNs, and identifiers encrypted
- ✓Encryption keys securely managed and rotated
Data in Transit
- ✓TLS 1.2 or higher for all communications
- ✓HTTPS enforced on all connections
- ✓No patient data ever transmitted unencrypted
Access Controls
| Role | Access Level |
|---|---|
| Provider (User) | Own patient sessions and notes |
| Organization Admin | User management + organization settings |
| Auditor | Compliance logs and security reports (read-only) |
| Support | Limited access for troubleshooting |
Automatic Session Management
Sessions automatically lock after 15 minutes of inactivity with a 2-minute warning. This prevents unauthorized access if you step away from your workstation.
Complete Audit Trail
Every action involving patient data is logged:
- ✓Who accessed what, when, and from where
- ✓All data views, edits, and exports tracked
- ✓Login attempts (successful and failed) recorded
- ✓EHR data exchanges logged with full details
Audit logs are immutable (cannot be modified or deleted), retained for 7+ years (HIPAA requirement), and available for compliance reviews and investigations.
Business Associate Agreements
We maintain signed Business Associate Agreements (BAAs) with all vendors who may access patient data:
| Service | Purpose | BAA Status |
|---|---|---|
| Supabase | Database & Authentication | Available |
| Deepgram | Medical Speech Transcription | Available |
| Anthropic | Clinical AI Processing | Available |
| AWS | Cloud Infrastructure | AWS BAA Program |
Infrastructure Security
Database Security
- • Row-Level Security (RLS) enforced
- • Encrypted connections to database
- • Regular automated backups
- • Point-in-time recovery available
Storage Security
- • Audio recordings protected by RLS policies
- • Users can only access their own sessions
- • All storage buckets private
- • Audited administrator access
Your Data Rights
Account Deletion
Request complete account deletion at any time. All patient sessions, recordings, and settings will be permanently removed. Audit logs are anonymized for compliance.
Data Export
Request a complete export of your data at any time through Settings > Privacy.