Skip to main content

HIPAA & HITRUST Compliance Overview

Updated over a month ago

HIPAA & HITRUST Compliance Overview

Medecision maintains strict adherence to U.S. healthcare industry standards for privacy, security, and compliance—most notably the Health Insurance Portability and Accountability Act (HIPAA) and the HITRUST CSF (Common Security Framework). This document outlines how Medecision meets or exceeds each requirement across infrastructure, application design, and operational governance.

HIPAA Compliance

The Medecision platform is fully compliant with the HIPAA Security, Privacy, and Breach Notification Rules. All PHI (Protected Health Information) is handled in accordance with the administrative, technical, and physical safeguards defined by HIPAA.

Administrative Safeguards

  • Formal security risk assessments are conducted annually.

  • Designated Security Officer and Privacy Officer oversee compliance programs.

  • Security training is required for all employees upon hire and annually.

  • Role-based access enforcement for least-privilege operations.

  • Audit logs and user access reviews maintained and reviewed regularly.

Technical Safeguards

  • Encryption: All ePHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).

  • Access Controls: SSO-enforced identity verification and granular RBAC across all services.

  • Audit Logging: Access logs maintained for all PHI-related transactions.

  • Session Timeouts: Default session expiration enforced after 30 minutes of inactivity.

  • Transmission Security: All external communication uses HTTPS, secure SFTP, or FHIR-compliant OAuth2 protocols.

Physical Safeguards

  • Hosted entirely in Google Cloud Platform (GCP), which is HIPAA-compliant and maintains its own BAA.

  • Physical data centers managed and secured by Google Cloud infrastructure with 24/7 monitoring and restricted access.

Breach Notification Policy

  • All potential breaches are investigated and documented within 24 hours.

  • Clients are notified within HIPAA-required timelines.

  • Incident response workflows follow NIST guidelines.

HITRUST Certification

Medecision aligns with the HITRUST CSF, which combines regulatory requirements from HIPAA, NIST, ISO, COBIT, and others into a certifiable security and privacy framework.

HITRUST Implementation Scope

  • Covers Medecision’s core SaaS platform including Care Management, Utilization Management, Clinical Intelligence, Data Platform, and APIs.

  • Includes control categories like:

  • Information Protection Program

  • Access Control

  • Audit Logging & Monitoring

  • Risk Management

  • Physical & Environmental Security

  • Third-Party Management

Certification Process

  • Medecision undergoes a third-party validated HITRUST CSF assessment.

  • Annual updates and interim reviews maintain alignment with the evolving control baseline.

  • Control maturity levels scored based on policy, implementation, and measurement.

Benefits to Clients

  • Confidence in audited security posture.

  • Accelerates client audits and risk assessments.

  • Enables alignment with payers’ and provider groups’ compliance programs.

Key Overlaps: HIPAA vs. HITRUST

Control Area

HIPAA

HITRUST

Encryption of ePHI

Required

Required and audited

Access Control

Required

Required, RBAC enforced, MFA support

Risk Analysis

Required

Assessed and scored annually

Employee Training

Required

Maturity measured by policy + proof

Physical Security

Required

Validated via hosting provider certification

Breach Notification

Required

Mapped to response SOP and metrics

Compliance Documentation

Clients may request the following documents as part of onboarding or annual vendor risk assessments:

  • Signed Business Associate Agreement (BAA)

  • Medecision’s SOC 2 Type II and HITRUST summary reports

  • Security Policy Handbook and Risk Management Plan

  • Subprocessor list and security SLAs

  • Penetration test reports (summary only)

Governance Framework

  • Quarterly internal compliance audits

  • Annual penetration testing via certified third-party assessors

  • Policy alignment with NIST SP 800-53, ISO 27001, and CMS requirements

  • Legal team reviews client data processing agreements for every BAA

  • Continuous monitoring for compliance risks and vendor controls

Medecision’s commitment to HIPAA and HITRUST ensures a secure foundation for every module and data interaction across the platform—from intake to decision to audit.

Related Articles
Data Platform
Data Encryption & Storage
Frequently Asked Questions for Utilization Management
Access Logs & Monitoring
What is the Medecision Platform?
Did this answer your question?