Security & Trust
We build MedFlow RCMto handle healthcare data responsibly. This page describes our current security controls and an honest view of our compliance roadmap. We believe transparency about what is in place today — and what is still in progress — is the right way to earn a partner’s trust.
Controls in place today
| Area | Control |
|---|---|
| Tenant isolation | Row-Level Security policies scope PHI-bearing tables by practice and role, enforced at the database layer. |
| Access control | Role-based access for admin, practice, and patient roles; authenticated API routes scoped to the caller’s practice. |
| Audit logging | Append-only audit log across PHI-access routes, with cryptographic hash-chain integrity, an active 6-year retention purge, and an administrative review surface. |
| Automatic logoff | Authenticated sessions terminate after 30 minutes of inactivity (HIPAA §164.312(a)(2)(iii)). |
| Encryption in transit | All traffic served over TLS with HSTS and a strict Content-Security-Policy; data exchanged with subprocessors over encrypted channels. |
| Managed infrastructure | Hosted on managed cloud platforms that provide encryption at rest at the storage layer and physical security. |
Compliance posture
| Program | Status |
|---|---|
| HIPAA | In progress. Technical safeguards are partially implemented; a formal risk assessment, complete subprocessor BAAs, and documented administrative safeguards are in active development. We sign Business Associate Agreements with customers. |
| SOC 2 | Planned, not yet started. We have not undergone a SOC 2 examination. We can provide our InfoSec policy and complete a security questionnaire in the interim. |
| Terms & Privacy | Terms of Service · Privacy Policy |
On our roadmap
- Provisioning the encryption key in production and rotating integration credentials (application-level encryption of stored secrets is now implemented in code).
- Completion of a formal HIPAA risk assessment and remediation of identified gaps.
- Executed BAAs with all subprocessors that handle PHI.
- SOC 2 Type II engagement with a third-party auditor.
- Formal incident response plan and workforce security training.
Reporting a vulnerability
If you believe you have found a security issue, please contact security@dionhealth.com. We appreciate responsible disclosure and will respond promptly.
← Back to home