Security & Compliance

How Medviz Systems protects Protected Health Information, customer data, and the integrity of our services. This page summarizes our administrative, physical, and technical safeguards under HIPAA and other applicable regulations.

1. Compliance Posture at a Glance

This document is intended for prospects, customers, and procurement teams. For specific contractual commitments, please refer to the executed Services Agreement, Business Associate Agreement, and any negotiated security addenda.

2. HIPAA Compliance

Medviz Systems operates as a HIPAA Business Associate when processing Protected Health Information (PHI) on behalf of healthcare providers ("Covered Entities"). We comply with all applicable provisions of:

• Privacy Rule — 45 CFR Parts 160 and 164, Subparts A and E
• Security Rule — 45 CFR Parts 160 and 164, Subparts A and C
• Breach Notification Rule — 45 CFR Part 164, Subpart D
• HITECH Act — Health Information Technology for Economic and Clinical Health Act

Before any PHI is transmitted to Medviz, the parties execute a Business Associate Agreement defining permitted uses and disclosures, safeguards, breach notification procedures, and termination obligations.

3. Data Protection

Encryption

• Data at rest: AES-256 encryption for all PHI and customer data in databases and object storage
• Data in transit: TLS 1.2+ for all client-server and inter-service communication; weak ciphers disabled
• Backups: encrypted using the same standards; encryption keys managed via cloud KMS with rotation policies

Network Security

• Private subnets and VPC isolation for production workloads
• Web Application Firewall (WAF) and DDoS protection in front of internet-facing endpoints
• Intrusion detection and anomaly monitoring on production environments

Endpoint & Workstation Security

• Workforce devices encrypted at rest with screen-lock policies enforced
• Anti-malware and patch-management agents on all corporate endpoints
• Mobile Device Management (MDM) for remote wipe of company-issued devices

4. Access Controls

Access to systems containing PHI or sensitive customer data is governed by the following principles:

• Least privilege — workforce members receive the minimum access necessary for their role
• Role-based access control (RBAC) — permissions assigned by job function, reviewed quarterly
• Multi-factor authentication (MFA) — required for all production system access, including SSH, admin consoles, and EHR integrations
• Single sign-on (SSO) — centralized identity provider for all corporate applications
• Privileged access management — elevated access requires justification and is time-bound
• Access reviews — quarterly reviews of access lists; immediate revocation on role change or termination

5. Audit Logging & Monitoring

Comprehensive audit logging is enabled across all systems handling PHI:

• All user actions on PHI (read, create, update, delete) are logged with user identity, timestamp, source IP, and resource
• Authentication events (login, logout, MFA challenges, failed attempts) are logged and monitored
• Administrative actions (permission changes, configuration changes, data exports) are logged separately
• Logs are aggregated to a centralized, tamper-resistant storage with retention aligned to applicable regulations
• Real-time alerting on suspicious patterns (anomalous access volume, off-hours admin activity, failed authentication spikes)

6. Breach Notification & Incident Response

Medviz maintains a documented Incident Response Plan covering identification, containment, eradication, recovery, and post-incident analysis.

Notification Timeline

In the event of a Breach of Unsecured PHI as defined under 45 CFR §164.402, Medviz will notify the affected Covered Entity:

• Without unreasonable delay and in no case later than sixty (60) calendar days after discovery
• Notification will include the identity of affected individuals (where known), description of the Breach, types of PHI involved, mitigation steps, and corrective actions

Customer Notification for Security Incidents

For Security Incidents that do not rise to the level of a Breach but may affect customer data, Medviz will provide notification consistent with the executed Services Agreement and BAA.

7. Subprocessors

Medviz uses a small number of vetted third-party subprocessors to deliver our services. Each subprocessor:

• Is bound by a written Business Associate Agreement when handling PHI
• Meets or exceeds Medviz's security and compliance standards
• Is reviewed annually for continued suitability

Categories of subprocessors include: cloud infrastructure (compute, storage, networking), monitoring and observability tools, communication and SMS providers (for patient outreach), and payment processors (for fee collection from clients, not PHI).

A current list of subprocessors and their roles is available to customers under NDA upon request to privacy@medviz.ai.

8. Workforce Security & Training

• Background checks — required for all workforce members with access to PHI
• Confidentiality agreements — signed at hire and reviewed annually
• HIPAA training — mandatory at hire and annually thereafter, with role-specific modules for engineers, billing specialists, and customer-facing staff
• Security-awareness training — phishing simulations and ongoing education on social engineering, password hygiene, and incident reporting
• Termination procedures — immediate access revocation, device retrieval, and exit confidentiality reminder

9. Business Continuity & Disaster Recovery

• Backups — production data backed up daily; backups encrypted and tested for restorability
• High availability — critical services run in redundant cloud zones; automatic failover for stateless components
• Recovery objectives — Recovery Point Objective (RPO) and Recovery Time Objective (RTO) defined per service tier; available to customers under the Services Agreement
• Disaster recovery testing — restoration drills performed periodically; results retained for review
• Continuity plan — documented procedures for major outages, including communication protocols with customers

10. Data Retention & Deletion

Medviz retains customer data and PHI only for the duration required to deliver services, comply with legal and regulatory obligations, or as agreed with the customer. Specifically:

• Medical billing records — retained for 7+ years per federal requirements
• PHI under CCM/PCM/RPM/BHI engagements — retained per the applicable BAA and state laws
• Samaat.ai audio recordings — retained no longer than thirty (30) days after note finalization unless otherwise specified
• SMS consent records — retained 4+ years for TCPA compliance

Upon contract termination, customer data is returned or securely destroyed per the terms of the Services Agreement and BAA. Backup copies are retained per backup-rotation schedule and securely destroyed thereafter.

11. Privacy & Patient Rights

While the Covered Entity (the healthcare provider) is the primary owner of patient privacy responsibilities under HIPAA, Medviz supports patient-rights workflows:

• Access requests — Medviz furnishes PHI to Covered Entities upon request to enable Individual access requests
• Amendment requests — Medviz forwards Individual amendment requests to the Covered Entity and applies approved amendments
• Accounting of disclosures — Medviz maintains required disclosure records and makes them available to the Covered Entity
• SMS opt-out — patients can opt out of SMS messaging at any time by replying STOP

For full details, see our Privacy Policy.

12. Audits, Attestations & Customer Diligence

Medviz conducts internal security reviews on a regular cadence and engages third-party assessments where appropriate to validate controls.

For customer security reviews, Medviz makes the following available under NDA:

• Security questionnaires (SIG, CAIQ, or custom)
• Network and architecture diagrams
• Penetration test summary results
• Subprocessor list and supporting documentation
• Incident response plan (sanitized)
• Employee training records (anonymized)

To request a security review packet, email privacy@medviz.ai with subject line Security Review Request — [Practice Name].

13. Responsible AI & Clinical Documentation

Several Medviz products use AI and machine-learning systems. Our governing principles:

• Human review of clinical content — AI-generated clinical documentation (Samaat.ai SOAP notes, summaries) is presented as a draft for licensed-clinician review and signature. No note is finalized without provider approval.
• AI coding suggestions are advisory only — Where AI surfaces a possible coding discrepancy or suggestion, it is presented to the practice or provider for review and approval. Medviz does not modify, apply, or otherwise change provider-submitted coding. All coding decisions remain with the licensed provider and their authorized coders.
• Human review of claim scrubbing — AI-driven claim-scrubbing recommendations are reviewed by experienced billing specialists before claim submission. Claims are never submitted on a fully automated basis.
• Patient consent for recording — Samaat.ai requires explicit patient consent for audio recording, in compliance with federal and applicable state law (including state two-party-consent statutes).
• Training data restrictions — identifiable patient audio and transcriptions are not used to train AI models without explicit written authorization from the Covered Entity.
• Coding scope — Medviz does not perform medical coding; coding remains the responsibility of the licensed healthcare provider.

14. Contact & Reporting