HIPAA-compliant by design. Patient-controlled data with full audit trails. BAAs available for practices, health systems, and enterprise customers.
We treat security disclosures the way we treat clinical summaries — clear about what's live, transparent about what's on the way. Additional attestations will be added as they're completed.
Security Rule and Privacy Rule controls implemented across all production systems.
Standard BAA template ready for practices, health systems, and enterprise reviews.
Patients own their records. Export anytime. We never train external models on PHI.
Every read, write, share, and export is logged. Available to covered entities under BAA.
PHI enters through patient- or caregiver-initiated upload, is encrypted in transit and at rest, structured by our AI layer in a HIPAA-compliant cloud, and surfaced only to people the account holder has explicitly shared with.
Files arrive over TLS 1.3 from the patient or caregiver's device, into their private account. We don't pull from EHRs by default.
US-based HIPAA-compliant cloud infrastructure. Key management through provider KMS with documented rotation policies.
OCR, parsing, and structuring run inside the same secure environment. We never use customer PHI to train external models.
RBAC for patients, caregivers, clinicians, and practice admins. Every access event logged with user, timestamp, and IP.
For the IT and security teams who need to see the granular controls before procurement gives a green light.
TLS 1.3 in transit, AES-256 at rest. Provider KMS for key management with documented rotation.
RBAC across patients, caregivers, clinicians, practice admins. Granular sharing permissions on every document.
Every read, write, share, and export logged with user, timestamp, and IP. HIPAA-retention periods enforced.
All PHI processed and stored within United States infrastructure. No cross-border processing.
Email + password with optional MFA today. SAML / OIDC SSO available for enterprise tier.
Documented RPO/RTO targets. Detailed recovery procedures shared under NDA with covered entities.
MediClarity supports clinical decisions — it does not diagnose, treat, or prescribe. Aligned with FDA CDS guidance.
Documented procedures aligned with HIPAA breach notification rules. Covered entities notified per BAA terms.
Honesty here matters more than a feature list. If any of these are blockers for your procurement, tell us — we'll be straight with you about timelines.
We don't pull data directly from EHRs today. Data enters MediClarity via patient-initiated upload and connected consumer devices. Direct FHIR / HIE connectivity is on the roadmap.
We don't write data back to EHRs today. Summaries are generated as outputs to read or paste, not pushed into external systems.
We don't currently hold third-party security attestations. Additional certifications will be added as they're completed — and we'll add them to the at-a-glance grid above with a real auditor-supplied target date, not a marketing guess.
We're not a replacement for clinical chart review. MediClarity supports the clinician's review. The clinician remains the decision-maker.
For practices and enterprise reviews, we share the procurement pack via a single signed PDF + a private security-documentation page.
Standard BAA template ready to send. Customized terms available for enterprise contracts under separate negotiation.
Data flow diagrams, infrastructure topology, encryption boundaries, and the subprocessor list. The thing your CISO will actually read.
Detection, escalation, containment, notification, and post-incident review procedures aligned to HIPAA breach rules.
Most recent penetration test summary (when available) and current cyber-liability coverage. Updated as scans complete.
If you're a patient or caregiver using MediClarity directly, your records belong to you. Always.
Records, devices, sharing — every input is controlled at the account level by the patient or their designated caregiver.
Full timeline and source documents available for export in standard formats at any time, including after cancellation.
We don't sell your data. We don't share it with third parties for advertising. We don't use your records to train external models.
Documented deletion procedures aligned with HIPAA. You can request full account closure and removal at any time.
We share security documentation under NDA. Tell us who you are and what your procurement needs — we'll get you what you're looking for fast.
Request documentation →