Security & Privacy

Data Security & Privacy Architecture

Mediflowly is designed with HIPAA controls in mind. This page is written for hospital IT departments, CISOs, and compliance teams evaluating Mediflowly as a vendor.

Request BAA Review Integration Details

Architecture

Security principles and controls

Built for hospital IT security review requirements. No vague claims — specific controls listed.

Data in Transit Encryption

All data transmitted between your EHR and Mediflowly's ingestion layer is encrypted using TLS 1.3. Connections with TLS versions below 1.2 are refused. SMART on FHIR OAuth 2.0 authentication is used where supported by the EHR; mutual TLS certificate pinning is used for HL7 v2 feed connections.

Data at Rest Encryption

All data stored in Mediflowly's operational data store is encrypted at rest using AES-256. Encryption keys are managed via a dedicated key management service with rotation policies. Backups are encrypted with the same standard. Storage is on SOC 2 Type II-audited cloud infrastructure.

Role-Based Access Control

Mediflowly uses granular role-based access control (RBAC) with predefined roles including: View-Only (charge nurse, bed coordinator), Reporting (department manager), Configuration (IT admin), and Platform Admin. User provisioning and deprovisioning follows your organization's existing user directory where SSO is configured.

Audit Logging

All user actions within Mediflowly are logged with timestamp, user identity, action type, and data accessed. Logs are retained for 24 months and are exportable for your internal security audit and compliance review requirements. Tamper-evident log storage prevents post-hoc modification.

BAA

Business Associate Agreement

Mediflowly executes a Business Associate Agreement (BAA) with all health system customers prior to any data exchange. The BAA is standard and non-negotiable on core HIPAA obligations, with negotiable provisions on breach notification timelines and audit rights. We do not require lengthy legal review processes — our standard BAA has been reviewed by hospital legal counsel at multiple regional health systems.

Request BAA for review

HIPAA Framework

Designed with HIPAA Controls in Mind

Mediflowly is designed to support your HIPAA program — not to replace your organization's own compliance obligations. The controls below describe how we support each HIPAA safeguard category.

Administrative

Administrative Safeguards

Designated security officer (Mediflowly side)
Workforce security training program
Access authorization and termination procedures
Incident response procedures and breach notification
BAA execution with all subcontractors handling PHI

Technical

Technical Safeguards

Unique user authentication — no shared credentials
Automatic session timeout after inactivity
Encryption in transit (TLS 1.3) and at rest (AES-256)
Audit controls with tamper-evident logs
De-identification at ingestion using Safe Harbor method

Physical

Physical Safeguards

Hosted on cloud infrastructure with physical access controls
Data center physical access restricted to authorized personnel
Device and media disposal procedures for any Mediflowly hardware
Remote workforce endpoint security policy

Note on regulatory language: Mediflowly describes itself as "designed with HIPAA controls in mind" and as a tool that "supports your HIPAA program." This means we have implemented the controls above with reference to the HIPAA Security Rule's safeguard categories. It does not mean Mediflowly has received independent third-party certification under HIPAA — no such formal certification standard exists. Your organization retains its own HIPAA obligations as a Covered Entity regardless of vendor controls.