Skip to content
HIPAA & compliance

Safeguarding patient health information

MedOps is built to help hospitals meet the administrative, physical and technical safeguards described by the HIPAA Security Rule — and to map each one to a concrete platform feature.

Compliance notice. This page describes how the platform is engineered to support HIPAA safeguards; it is not a certification or legal advice. Compliance is a shared responsibility between MedOps and each hospital. Have your own counsel and compliance team review your configuration before relying on it in production.
Regulatory safeguards

Administrative, physical & technical protocols

Our security framework is organised around the three categories of HIPAA safeguards.

Technical safeguards

Encryption, access thresholds and secure transmission.

  • AES-256 encrypted, httpOnly authentication cookies — never readable by client JavaScript.
  • Automatic logout after a configurable window of inactivity (15 minutes by default).
  • TLS in transit, hardened HTTP headers and per-IP rate limiting on every endpoint.

Audit & accountability

A record of who did what, scoped to each tenant.

  • Tenant-scoped audit logging of significant actions (create, update, status changes).
  • Unique user identity with capability-based (feature.action) access control.
  • Logs capture actor, action, timestamp, request path and source IP for review.

Administrative safeguards

Policy, review and operational discipline.

  • Role-based provisioning so staff only get the capabilities their job requires.
  • Vetted sub-processors operating under contract and on documented instructions.
  • Business Associate Agreements (BAAs) available to hospital customers on request.
Technical mappings

Safeguards mapped to features

How HIPAA Security Rule specifications connect to MedOps architecture today.

Access control — §164.312(a)

Each user has a unique identity and a role (Tenant Admin, Doctor, Operations, Nurse, Staff, Pharmacy). Capability-based permissions gate every action, and sessions log out automatically after inactivity.

Transmission security — §164.312(e)

Data is encrypted in transit over TLS, and the authentication token is an AES-256 encrypted, SameSite-restricted cookie rather than a value exposed to browser storage.

Audit controls — §164.312(b)

Significant actions involving records are written to a tenant-scoped audit log with the actor, timestamp, request path and IP, so administrators can review activity within their organisation.

Integrity — §164.312(c)

Money is stored as exact integer paise and clinical writes that must agree (for example a consultation's prescription and bill) are grouped into a single transaction — so records don't end up in contradictory states. End-to-end encrypted PHI with zero-knowledge keys is on our roadmap.

Need a signed Business Associate Agreement?

We provide standard BAAs for hospital networks and medical groups. Reach out and our compliance team will share the packet.

Request compliance packet