How quickly do you notify on a breach?

Within 15 calendar days of confirmed breach discovery, earlier than the 60-day statutory ceiling under HIPAA. Notification includes the affected individuals, incident description, unauthorized recipient (if known), and remediation steps. Routine unsuccessful access attempts (port scans, blocked logins) are reported in periodic summary form, not as breach events.

Do you support our security questionnaire?

Yes. We complete CAIQ, SIG Lite, and SIG Core questionnaires within 5 business days of receipt. For custom questionnaires, our security team works directly with your procurement team, typically returned within 7-10 business days depending on length.

Are you HITRUST i1 or r2?

HITRUST CSF r2, the full validated assessment, not the simpler i1. r2 includes the same controls as i1 plus inheritance from authoritative sources, third-party validation, and HITRUST-issued certification.

Platform · Security & Compliance

Compliance you don't have to think about.

Name: Medonix MSO
Address: 300 Delaware Ave Suite 210, Wilmington, DE, 19801, US
Telephone: +1-302-520-5413
Price range: $$

Medonix is HIPAA-compliant, SOC 2 Type II audited annually, HITRUST CSF certified, PCI DSS Level 1, and aligned with NIST 800-66. Every customer signs a BAA before kickoff. PHI access is role-based, encrypted in transit and at rest, and fully audited.

Get a free audit See the full platform

HIPAA+ HITECH compliant

SOC 2Type II audited

HITRUSTCSF certified

PCIDSS Level 1

Security & Compliance

Compliance you don't have to think about, in detail.

Healthcare RCM means handling PHI at scale. Medonix was architected from day one around the controls that healthcare requires, not retrofitted onto a generic SaaS platform. The compliance posture is the same across every customer engagement, every module, and every API call.

Five frameworks operate together: HIPAA (the legal floor for PHI), SOC 2 Type II (operating effectiveness over a 12-month window, audited by a Big Four firm), HITRUST CSF (the healthcare-industry assessable framework that harmonizes HIPAA + NIST + ISO + PCI), PCI DSS Level 1 (covering payment processing on the patient portal), and NIST 800-66 (HIPAA Security Rule implementation guidance).

A signed Business Associate Agreement is executed before any PHI exchange. Customer-specific BAA redlines are negotiated during onboarding. The standard BAA terms are published openly at /legal/baa/.

What is included

Capabilities shipped with this module.

Encryption everywhere
TLS 1.2 minimum (TLS 1.3 preferred) in transit. AES-256 at rest for all PHI stores. Encrypted backups with regular restoration testing.
Role-based access
Least-privilege defaults. Quarterly access reviews. SSO + MFA enforced for workforce. SAML 2.0 / OIDC for customer-side SSO.
Audit logging
Comprehensive PHI access logs with tamper-evident storage. Customer-side audit log API available, so your compliance team can pull access events programmatically.
Incident response
Documented runbooks, 24/7 on-call, and a 15-day breach-notification commitment (vs the 60-day HIPAA ceiling).
Vulnerability management
Continuous scanning, third-party annual penetration testing, and a coordinated vulnerability disclosure program at /security/responsible-disclosure/.
Subcontractor controls
Every subcontractor handling PHI signs a BAA with terms equivalent to ours. Full subcontractor list available to customers under NDA.

How it connects to the rest of your stack.

Security and compliance are not a module. They are the substrate. Every other module on the platform (EHR, PMS, AI Suite, Patient Portal, Analytics, Integrations, API) operates inside the same compliance envelope. Customer-facing artifacts are published at the Trust Center: /security/. Auditor-facing documentation (control narratives, evidence, third-party reports) is available under NDA via the security desk.

Pairs with

Other platform modules.

Frequently asked

Security & Compliance, answered.

Both are available under a mutual NDA. Email security@medonix.io with the subject "Audit report request" and we will respond within one business day. The HITRUST certification letter itself can be shared publicly without NDA on request.

Talk to RCM

Ready to recover every dollar your practice earns?

See your projected revenue lift in 60 seconds, or talk to a senior RCM strategist now. No commitment. Same-day slots available.

30-day parallel-run guarantee
Targets written into the contract
HIPAA · SOC 2 Type II · HITRUST

Get a free audit +1-302-520-5413

24/7 · U.S. healthcare only

Compliance you don't have to think about.

Compliance you don't have to think about, in detail.

How it connects to the rest of your stack.

Other platform modules.

Security & Compliance, answered.

01Where can I see your SOC 2 report or HITRUST certification letter?

02How quickly do you notify on a breach?

03Do you support our security questionnaire?

04Are you HITRUST i1 or r2?

Ready to recover every dollar your practice earns?