Security and compliance

Security and compliance

Mediyn’s security and compliance features give clinic administrators and therapists layered controls over authentication, access, data handling, and audit readiness. Administrators can enforce authentication policies, manage team access, and review compliance posture from dedicated Security and Compliance settings pages. Therapists and staff see only the data and actions relevant to their role.

Authentication and Sign-In

• Two-factor authentication (2FA / MFA): You can enable two-step verification from Settings → Security using any RFC 6238-compatible authenticator app (Google Authenticator, Authy, 1Password, and others) or SMS text message. After enrolling, you are prompted for a verification code on every sign-in. You can disable 2FA at any time by confirming your identity.
• Clinic-wide MFA enforcement: Clinic administrators can require MFA for all staff from the Security settings page. Team members who have not yet enrolled are guided through setup before gaining access; no one, including administrators, can bypass this requirement.
• MFA status visibility: The Security settings page shows whether MFA is enabled or disabled for your account immediately on sign-in. The Team page displays an accurate MFA On/Off indicator for each team member.
• Single Sign-On (SSO) — Enterprise: Enterprise clinics and hospital systems can connect Mediyn to Okta, Azure AD, Google Workspace, or any SAML 2.0-compatible identity provider. Staff log in through your organisation’s existing SSO portal with no separate Mediyn password required. Administrators configure SSO, map user roles from IdP attributes, and enable automatic account creation from the Security settings page.
• Face ID / biometric sign-in (iOS): Therapists can enable Face ID or other device biometrics for sign-in after completing an initial email and MFA login. The feature can be turned off at any time from the Settings screen.
• Password reset: Clicking “Forgot password?” on the login screen and entering your email address sends a secure, time-limited reset link. After setting a new password, you are signed out of all active sessions.
• Post-setup automatic sign-in: After completing account setup on mediyn.com, you are automatically signed in to the Mediyn dashboard without needing to log in again. If the sign-in link has expired, a clear message and a link to restart the process are shown.
• Session invalidation on logout: Logging out immediately invalidates your session on all devices; previously issued tokens can no longer be used to access your account.

Session Security and Access Controls

• Automatic session timeout: Mediyn automatically ends your session after a period of inactivity, reducing the risk of unauthorised access on unattended devices.
• Configurable session settings: Clinic administrators can configure inactivity timeout duration and the maximum session length before a user must sign in again. These controls are enforced server-side across all devices and clients.
• Re-authentication guards: Administrators can manage re-authentication requirements from the Compliance settings page, specifying which high-risk actions — such as exporting records or deleting patients — require staff to re-enter their password before proceeding. Changes take effect immediately after saving.
• Active session management: You can view all active login sessions from your account settings and terminate any session immediately.
• IP allowlisting — Enterprise: Enterprise clinics can restrict platform logins to approved IP ranges or corporate VPN addresses using CIDR rules managed from the Security & Network settings page. Administrators can verify whether their current IP would pass before saving. A safety prompt is shown when the first rule is added to prevent accidental lockout.

Team Roles and Access Management

• Finance role: Clinic admins can invite team members to a Finance role, giving them access to billing and claims workflows without clinical permissions. Existing team members can also have their role updated to Finance through the team management interface. Finance team members count toward the practice’s seat limit.
• Role-based data visibility: Therapists see only their own patients, sessions, schedule, and dashboard data. Admin-only settings, billing management actions, and patient assignment controls are not shown in the therapist interface. Clinic administrators retain full access to all features.
• Correct role labels: Clinic administrators who also see patients appear with the correct “Clinic Admin” role label in the team list rather than as a therapist. These fields update automatically with no action required.
• Admin 2FA reset: Clinic administrators can reset a team member’s 2FA enrollment directly from the team page if the member has lost access to their authenticator device. The admin must confirm their own password before the reset takes effect, and the action is logged in the clinic’s audit history. The affected user can then log in with their password and re-enrol at their convenience.

Compliance Settings and Audit

• Security Controls summary: The Compliance settings page includes a Security Controls card summarising how Mediyn protects your data: encryption at rest and in transit, a full audit log of PHI access, role-based permissions, and automatic session timeout. Clinic administrators can reference this card during internal security reviews or onboarding audits.
• Audit log and filtering: The audit trail correctly attributes actions to the user who performed them. You can filter audit events by time period — last 24 hours, 7 days, 30 days, or 90 days — as well as by actor, resource type, and date range. Audit logs are always retained for a minimum of 6 years regardless of other retention settings.
• Data retention configuration: Clinic administrators can configure how long Mediyn retains session records and recordings, choosing from 1 year, 3 years, 7 years, or indefinite retention. A scheduled process automatically archives data older than the chosen threshold.
• PHI masking and redaction policies: The Compliance settings page displays your practice’s actual PHI masking and redaction policies rather than placeholder values.
• Access recertification campaigns: Clinic administrators can initiate an access recertification campaign from the Compliance settings page using the “Start Campaign” button, setting a campaign name and due date. New campaigns appear immediately in the list so review progress can be tracked. Campaign status is visible directly from the Compliance settings page.
• BAA and legal documents: Mediyn’s website includes a Privacy Policy, Terms of Service, and HIPAA Business Associate Agreement, all accessible from the footer. Practices can review and accept the BAA directly on the platform before sharing any protected health information. A direct link to request a BAA is also available from the Compliance settings page.

Patient Data and Document Security

• Patient data export: Therapists and clinic administrators can generate a full export of a patient’s data — including profile information, session history, intake responses, consents, worksheets, assessments, and billing records — as a downloadable ZIP file. Exports are processed in the background, with a status indicator showing when the file is ready. AI-generated summaries and session notes are excluded by default and must be explicitly included when requesting the export.
• Document access isolation: Patients accessing the document section of the portal see only documents linked to their own record or sessions. Attempts to access another patient’s document, including via a direct download link, are denied.
• File upload limits: Mediyn enforces a 50 MB maximum file size and restricts document uploads to PDFs, common images, Microsoft Office files, and plain text. Attempts to upload files outside these limits receive a clear error explaining the reason and the allowed options. These limits apply to all document uploads across the platform.
• Duplicate patient prevention: When adding a new patient, if another patient with the same email address already exists in your clinic, a clear error message is shown rather than creating a duplicate record.
• Patient consent withdrawal: Patients can withdraw their HIPAA authorisation, telehealth consent, and marketing consent directly from the patient portal. When a consent is withdrawn, the therapist and, where applicable, clinic administrators receive a notification. Withdrawal of the core treatment consent still requires coordination with the therapist to ensure a safe care transition.