Security and compliance claims as published on mediyn.com
Security and compliance claims as published on mediyn.com
Section titled “Security and compliance claims as published on mediyn.com”HIPAA Compliance
Section titled “HIPAA Compliance”Site path: /security
Mediyn claims to have been designed from the ground up for HIPAA compliance, with administrative, technical, and physical safeguards built into the platform architecture.
Capabilities:
- BAA included with every plan at no extra cost
- Administrative, technical, and physical safeguards built in
- <1hr incident detection, <24hr breach notification
- Quarterly penetration testing by independent firms
- Bug bounty program for responsible disclosure
The page also displays the following trust badges: HIPAA Compliant, BAA Included, 256-bit AES Encryption, SOC 2 Type II, MFA Enabled.
The metrics bar states 18 HIPAA Safeguard Categories covered.
Regulatory Compliance
Section titled “Regulatory Compliance”Site path: /security
Beyond HIPAA, the site claims Mediyn addresses the No Surprises Act (Good Faith Estimates for self-pay patients since January 2022), state telehealth licensing requirements, and recording consent laws that vary by jurisdiction. Compliance is described as built into the workflow.
Capabilities:
- No Surprises Act: GFE generation, delivery, and acknowledgment
- Telehealth recording consent captured per-session
- State licensing reminders for cross-state sessions
- Consent tracking with e-signature audit trail
- All compliance events logged immutably
On-Device PHI Redaction
Section titled “On-Device PHI Redaction”Site path: /security
The site claims that raw audio from therapy sessions is processed locally on the clinician’s device. Names, phone numbers, addresses, and dates of birth are stripped before anything leaves the device. The cloud only ever sees de-identified audio. The site states that other platforms send raw session recordings to their servers for processing, and that Mediyn does not.
Capabilities:
- On-device PHI redaction
- Raw audio processed locally — never uploaded
- Names, DOB, addresses stripped before transmission
- Cloud only sees de-identified audio and text
- Works on iOS and web — same guarantees
De-Identification Engine
Section titled “De-Identification Engine”Site path: /security
The site claims a de-identification engine detects and removes names, phone numbers, addresses, dates of birth, and other identifying information from clinical artifacts before documentation is finalized or stored. Configurable redaction policies offer Standard and Strict modes. Every redaction event is logged.
Capabilities:
- Detects and removes names, phone numbers, addresses, and DOB
- Configurable redaction policies: Standard and Strict modes
- De-identification reports for every processed artifact
- Redaction audit events logged immutably
- Applied before documentation is finalized or stored
PHI Masking
Section titled “PHI Masking”Site path: /security
The site claims PHI masking is role-scoped and enforced server-side, not through CSS or front-end techniques. Accessing sensitive fields requires re-authentication.
Capabilities:
- Role-scoped masking based on access level
- Server-side enforcement — not front-end hiding
- Re-authentication for sensitive field access
- Configurable masking rules per tenant
- Full audit trail for every unmasking event
Immutable Audit Trail
Section titled “Immutable Audit Trail”Site path: /security
The site claims every clinical action in Mediyn is recorded in an immutable audit log capturing who did what, when, and to which record. The log cannot be modified or deleted by anyone, including system administrators.
Capabilities:
- Immutable log of all clinical and administrative actions
- Records actor, action, target, and timestamp
- Queryable and exportable for compliance reviews
- Cannot be modified or deleted by any user or admin
- Supports HIPAA audit requirements out of the box
- 7-year log retention for compliance and forensic review
The metrics bar also states “7-Year” audit retention and “<1 Hour” incident response.
Authentication and Access Control
Section titled “Authentication and Access Control”Site path: /security
The site claims MFA via TOTP or SMS is enforced at the tenant level. Trusted device management limits logins to recognized hardware. Role-based access control ensures therapists only see their own patients.
Capabilities:
- MFA (TOTP and SMS) enforced at tenant level
- Trusted device management with remote revocation
- Token rotation and automatic session lockout
- Role-based access: therapist, admin, patient
- Brute-force protection and rate limiting
Encryption
Section titled “Encryption”Site path: /security
The site claims all data in transit is protected by TLS 1.3, data at rest is encrypted with AES-256, and encryption keys are managed through Hardware Security Modules (HSMs). Keys are described as generated, stored, and rotated in tamper-resistant hardware that never exposes raw key material to software.
Capabilities:
- TLS 1.3 for all data in transit
- AES-256 encryption for all data at rest
- HSM-managed keys — tamper-resistant hardware
- Automatic key rotation on configurable schedule
- On-device encryption before network transmission
The metrics bar states “AES-256” encryption with HSM keys.
Malware Scanning
Section titled “Malware Scanning”Site path: /security
The site claims every file uploaded to Mediyn is quarantined and scanned for malware before it becomes accessible. Infected files are rejected and logged.
Capabilities:
- Automatic malware scanning on every upload
- Files quarantined until scan completes
- Infected files rejected and logged
- Scan results recorded in audit trail
- Zero-trust approach to user-uploaded content
Access Recertification
Section titled “Access Recertification”Site path: /security
The site claims scheduled access recertification campaigns let administrators review who has access to what, confirm or revoke permissions, and maintain a clean access posture.
Capabilities:
- Scheduled recertification campaigns
- Review and confirm or revoke user permissions
- Audit-ready recertification reports
- Automated reminders for pending reviews
- Supports compliance frameworks requiring periodic access reviews
Security Policies (Tenant-Level Configuration)
Section titled “Security Policies (Tenant-Level Configuration)”Site path: /security
The site claims every security control in Mediyn is configurable per tenant, including MFA enforcement, session timeout duration, password complexity requirements, and PHI masking rules.
Capabilities:
- MFA enforcement policy (required, optional, or role-based)
- Configurable session timeout duration
- Password complexity requirements
- Device management and trusted device policies
- PHI masking rules configurable per role and data type
Defense-in-Depth Architecture
Section titled “Defense-in-Depth Architecture”Site path: /security
The site describes a layered security architecture with five independently audited, independently encrypted, and independently configurable layers.
- Layer 01 — On Device: PHI stripped locally
- Layer 02 — In Transit: TLS 1.3 encrypted
- Layer 03 — At Rest: AES-256 + HSM keys
- Layer 04 — Access: MFA + RBAC + masking
- Layer 05 — Audit: Immutable, 7 years
The site states: “Every layer is independently audited, independently encrypted, and independently configurable.”
SOC 2 Type II
Section titled “SOC 2 Type II”Site path: /security
The trust badge display on /security lists “SOC 2 Type II” as one of five trust badges shown on the page. The /privacy-first page additionally states “SOC 2 Type II certified infrastructure and security controls” as a compliance claim in its checklist.