ConXmed
Back to Home

HIPAA Compliance

Conxmed is committed to protecting the privacy and security of Protected Health Information (PHI) in full compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Administrative Safeguards

Workforce training, access management policies, incident response procedures, and regular risk assessments to protect PHI.

Physical Safeguards

Cloud infrastructure hosted in SOC 2 Type II certified data centers with physical access controls and environmental protections.

Technical Safeguards

AES-256 encryption at rest, TLS 1.2+ in transit, row-level security, role-based access controls, and audit logging.

Breach Notification

Documented procedures for identifying, reporting, and mitigating breaches within required timeframes (60 days for affected individuals).

Our HIPAA Practices

Data Encryption

All PHI is encrypted both in transit using TLS 1.2 or higher and at rest using AES-256 encryption. DICOM medical images are stored in encrypted cloud storage with access restricted to authorized personnel only.

Access Controls

Conxmed enforces strict role-based access controls (RBAC). Each user role — patient, doctor, hospital staff, administrator — has precisely defined data access permissions enforced at the database level through Row-Level Security (RLS) policies:

  • Patients can only access their own cases, inquiries, and messages.
  • Doctors can only view cases assigned to them for review.
  • Hospital staff can access cases associated with their institution.
  • Administrators have platform-wide access for operational management, subject to audit logging.

Audit Trail

All access to PHI is logged with timestamps, user identifiers, and action types. Audit logs are retained for a minimum of 6 years as required by HIPAA and are available for compliance review.

Business Associate Agreements (BAAs)

We maintain executed BAAs with all third-party service providers that may access PHI, including our cloud infrastructure provider (Supabase), file storage services, and any subcontractors involved in data processing.

Minimum Necessary Standard

Conxmed applies the minimum necessary standard to all PHI disclosures. Our AI triage and clinic matching features are designed to process only the specific data elements required for their function, without exposing full patient records.

Patient Rights

In accordance with HIPAA, patients have the right to:

  • Access and obtain copies of their PHI.
  • Request amendments to their health records.
  • Receive an accounting of disclosures of their PHI.
  • Request restrictions on certain uses and disclosures.
  • File a complaint if they believe their privacy rights have been violated.

Incident Response

We maintain a documented incident response plan for potential data breaches. In the event of a breach involving unsecured PHI:

  • Affected individuals are notified within 60 days.
  • The Department of Health and Human Services (HHS) is notified per regulatory requirements.
  • Corrective actions are implemented and documented.

Certifications & Standards

  • HIPAA Privacy Rule & Security Rule compliant
  • SOC 2 Type II certified infrastructure
  • DICOM 3.0 standard for medical imaging
  • ISO 27001 aligned information security practices

Contact Our Compliance Team

For HIPAA-related inquiries, to report a potential breach, or to exercise your patient rights: