Security & Privacy – Med Pilot

Security & Privacy

Last Updated: 21 April 2025

At MedPilot, we prioritize the security of your data and the privacy of your patients. Our platform is designed to meet stringent healthcare regulations, including HIPAA, GDPR, and HITRUST. Below, we outline our commitments and practices to safeguard your information.

1. Data Protection

Encryption

In Transit: All data transmitted between your devices and MedPilot is encrypted using TLS 1.3 (256-bit AES).
At Rest: Patient records, billing data, and communications are encrypted using AES-256 encryption.

Access Controls

Role-Based Permissions: Granular user roles (e.g., physician, nurse, billing staff) restrict access to sensitive data.
Multi-Factor Authentication (MFA): Required for all administrative accounts.
Audit Logs: Track user activity, logins, and data modifications in real time.

Infrastructure Security

Cloud Hosting: Data is stored in SOC 2 Type II and ISO 27001-certified AWS data centers.
Network Security: Firewalls, intrusion detection systems (IDS), and regular penetration testing.
Vulnerability Management: Automated scans and manual code reviews to address risks proactively.

2. Compliance & Certifications

Regulatory Adherence

HIPAA: Fully compliant with the Health Insurance Portability and Accountability Act.
GDPR: Compliant with EU General Data Protection Regulation (for international users).
HITRUST CSF: Certified for risk management and data protection.

Third-Party Audits

Annual audits by independent firms validate our security controls.
SOC 2 Type II reports available under NDA for enterprise customers.

3. Privacy Practices

Data Ownership

Your Data Belongs to You: Patients’ Protected Health Information (PHI) and practice data are owned solely by your organization.
No Third-Party Sharing: We never sell or share PHI with advertisers, insurers, or other third parties without explicit consent.

Data Minimization

Collect only essential data required to deliver the Service (e.g., patient demographics, treatment records).

Breach Notification

In the unlikely event of a data breach, we will notify affected users within 72 hours and collaborate to mitigate risks.

4. Subprocessors & Vendors

We partner with trusted, compliant vendors to deliver our services:

Hosting: Amazon Web Services (AWS)
Authentication: Auth0 (MFA/SSO)
Telehealth: (HIPAA-compliant video API)
Payments: SSL Comerz (PCI-DSS Level 1 certified)
Communications: Twilio, SSL Comerz (encrypted SMS/email)

All subprocessors undergo rigorous security assessments and comply with our data protection standards.

5. User Responsibilities

Patient Consent: Ensure patients consent to telehealth visits and data sharing as required by law.
Secure Practices: Use strong passwords, enable MFA, and restrict access to authorized personnel.
Training: Train staff on HIPAA compliance and MedPilot’s security features.

6. Data Retention & Deletion

Retention: PHI is retained as long as your account is active.
Deletion: Upon account termination, data is securely erased from our systems within 30 days.
Export: Download patient records in standard formats (e.g., PDF, CCDA) anytime.

7. Incident Response

24/7 Monitoring: Security team actively monitors for threats.
Response Protocol: Includes containment, investigation, notification, and remediation.
Transparency: Post-incident reports provided to affected users.

FAQ

🔒 How is my data stored?

All data is encrypted and stored in AWS data centers located in the U.S. [or specify regions].

👩⚕️ Who can access patient data?

Only authorized users in your practice with role-based permissions. MedPilot personnel access data only for support purposes under strict confidentiality agreements.

📜 Can I audit MedPilot’s security practices?

Enterprise customers may request SOC 2 reports or schedule a security review with our team.

🌍 Is MedPilot compliant with [specific law, e.g., PIPEDA]?

Contact us at support@medpilot.app to confirm compliance with your local regulations.

Contact Us

For security inquiries, breach reports, or compliance questions:

Security Team: security@medpilot.app
Data Protection Officer (DPO): dpo@medpilot.app
Phone: [Insert Security Hotline Number]

To Report a Vulnerability:
Email security@medpilot.app with details. We reward ethical disclosures through our bug bounty program.

Trusted by thousands of healthcare providers worldwide.
MedPilot is committed to advancing secure, ethical healthcare technology.