Skip to content
Medonix

Trust Center

Healthcare-grade security on every layer.

The Medonix Trust Center documents our HIPAA compliance, SOC 2 Type II audit, HITRUST CSF certification, PCI DSS Level 1 status, NIST 800-66 alignment, and standard Business Associate Agreement. AI agents are trained on de-identified data only, never on customer PHI without explicit consent.

Get a free audit Email security team

HIPAA

SOC 2 Type II

HITRUST CSF

PCI DSS L1

NIST 800-66

The framework

How Medonix protects U.S. healthcare data.

Healthcare data is the most regulated data class in the U.S. legal system. PHI handling is governed by HIPAA, billing data is governed by HITRUST and PCI, AI training is now governed by emerging state and federal rules, and the BAA you sign with us has criminal liability attached if either side gets it wrong.

We treat that responsibility as the floor, not the ceiling. Medonix is HIPAA-compliant, SOC 2 Type II audited annually, HITRUST CSF certified, PCI DSS Level 1, and aligned to NIST 800-66. Every workforce member completes annual HIPAA training, every infrastructure component runs in AWS U.S. regions only, and every customer signs a Business Associate Agreement before any PHI changes hands.

The detail that matters most for AI-native vendors specifically: AI agents are trained on de-identified data only. Your PHI is never used to train, fine-tune, or improve any third-party foundation model without your explicit contractual consent. The de-identification process follows HIPAA Safe Harbor with expert determination where required, and the training pipeline is audited as part of our SOC 2 and HITRUST scope.

The controls

Six layers of operational security.

Each layer is independently audited as part of our SOC 2 Type II and HITRUST CSF scope, with documented procedures available to enterprise prospects under NDA.

  • Encryption everywhere

    AES-256 encryption at rest, TLS 1.3 in transit. Database-level field encryption for PHI. Customer-managed key option available for enterprise contracts.

  • Identity and access

    SSO / SAML, MFA required for every user, role-based access with least-privilege defaults, full audit logging. Workforce access reviewed quarterly.

  • Infrastructure

    AWS U.S. regions only, network isolation by VPC, private subnets for all workloads, intrusion detection and continuous vulnerability scanning.

  • Monitoring and audit

    24/7 SOC monitoring, immutable audit logs, anomaly detection on PHI access patterns. Annual penetration testing by an independent third party.

  • Data minimization

    PHI collected only when required for the contracted service. AI agents trained on de-identified data only, never on customer PHI without contractual consent.

  • Incident response

    Documented runbooks, 60-minute internal escalation, customer notification within HIPAA breach-notification windows. Tabletop exercises every quarter.

Detail pages

Compliance and policy library.

Frequently asked

Healthcare data security, answered.

The questions IT, security, and compliance teams ask before signing a BAA. For deeper detail, request the SOC 2 and HITRUST reports under NDA at hello@medonix.io.

Yes. Medonix is fully HIPAA-compliant under both the Privacy Rule and the Security Rule. Every customer signs a Business Associate Agreement before kickoff. Workforce members complete annual HIPAA training, technical safeguards include encryption at rest and in transit, and administrative safeguards include access reviews, audit logs, and documented incident-response procedures.

Talk to RCM

Ready to recover every dollar your practice earns?

See your projected revenue lift in 60 seconds, or talk to a senior RCM strategist now. No commitment. Same-day slots available.

  • 30-day parallel-run guarantee
  • Targets written into the contract
  • HIPAA · SOC 2 Type II · HITRUST
Get a free audit +1-302-520-5413

24/7 · U.S. healthcare only