Your patients' words. Your device. Our obsession.
Patent-pending on-device PHI redaction. HIPAA compliance. Immutable audit trails. De-identification engine. Encryption at every layer. Mediyn doesn't treat security as a feature — it's the foundation everything else is built on.
HIPAA compliance is the starting point. Not the destination.
Mediyn was designed from the ground up for HIPAA compliance. Every plan includes a Business Associate Agreement (BAA). Administrative, technical, and physical safeguards are built into the platform architecture — not bolted on after the fact.
- Business Associate Agreement (BAA) included with every plan
- Administrative safeguards: workforce training, access management, incident response
- Technical safeguards: encryption, audit controls, access controls, transmission security
- Physical safeguards: facility access controls, workstation security, device and media controls
- Ongoing compliance monitoring and annual risk assessments
Session recordings never leave your device unencrypted.
Raw audio from therapy sessions is processed locally on the clinician’s device. Transcripts are de-identified before transmission. The attack surface is reduced by design — sensitive data stays where it belongs. An encrypted fallback is available when on-device processing is not supported.
- Patent-pending on-device PHI redaction
- Raw audio processed locally — never uploaded
- Transcripts de-identified before any server transmission
- Minimized attack surface by eliminating cloud-side PHI exposure
- Encrypted fallback for unsupported device configurations
Patient identifiers are removed before documentation exists.
The de-identification engine detects and removes names, phone numbers, addresses, dates of birth, and other identifying information from clinical artifacts. Configurable redaction policies let clinicians choose between Standard and Strict modes. Every redaction event is logged.
- Detects and removes names, phone numbers, addresses, and DOB
- Configurable redaction policies: Standard and Strict modes
- De-identification reports for every processed artifact
- Redaction audit events logged immutably
- Applied before documentation is finalized or stored
Every action. Every actor. Every timestamp. Permanent.
Every clinical action in Mediyn is recorded in an immutable audit log. Who did what, when, and to which record. The log is queryable, exportable, and cannot be modified or deleted by anyone — including system administrators.
- Immutable log of all clinical and administrative actions
- Records actor, action, target, and timestamp
- Queryable and exportable for compliance reviews
- Cannot be modified or deleted by any user or admin
- Supports HIPAA audit requirements out of the box
Not everyone sees everything.
PHI masking is role-scoped. Staff members only see the data their role requires. Masking is enforced server-side — not through CSS or front-end tricks. Accessing sensitive fields requires re-authentication, ensuring that even authorized users confirm their identity before viewing PHI.
- Role-scoped PHI masking based on access level
- Server-side enforcement — not CSS or front-end hiding
- Re-authentication required for sensitive field access
- Configurable masking rules per tenant
- Full audit trail for every unmasking event
Multi-layered access protection.
Mediyn enforces multi-factor authentication (MFA) via TOTP and SMS. Trusted device management limits logins to recognized hardware. Session security includes configurable timeouts and automatic lockout. Role-based access control (RBAC) ensures every user only accesses what they need.
- Multi-factor authentication (TOTP and SMS)
- Trusted device management
- Configurable session timeouts and automatic lockout
- Role-based access control (RBAC)
- Brute-force protection and account lockout policies
Encrypted everywhere.
All data in transit is protected by TLS 1.3. Data at rest is encrypted with AES-256. On-device encryption protects recordings before any network activity. File access uses signed URLs with expiration — no permanent links to sensitive content.
- TLS 1.3 for all data in transit
- AES-256 encryption for all data at rest
- On-device encryption before network transmission
- Signed URLs with expiration for file access
- No permanent links to sensitive content
Every uploaded file is scanned.
Every file uploaded to Mediyn is quarantined and scanned for malware before it becomes accessible. Infected files are rejected and logged. No uploaded content reaches the platform without passing the scan.
- Automatic malware scanning on every upload
- Files quarantined until scan completes
- Infected files rejected and logged
- Scan results recorded in audit trail
- Zero-trust approach to user-uploaded content
Periodic access reviews. Built in.
Mediyn supports scheduled access recertification campaigns. Administrators can review who has access to what, confirm or revoke permissions, and maintain a clean access posture — all without leaving the platform.
- Scheduled recertification campaigns
- Review and confirm or revoke user permissions
- Audit-ready recertification reports
- Automated reminders for pending reviews
- Supports compliance frameworks requiring periodic access reviews
Configurable at the tenant level.
Every security control in Mediyn is configurable per tenant. MFA enforcement, session timeout duration, password complexity requirements, device management policies, and PHI masking rules — all adjustable to match your organization’s security posture.
- MFA enforcement policy (required, optional, or role-based)
- Configurable session timeout duration
- Password complexity requirements
- Device management and trusted device policies
- PHI masking rules configurable per role and data type
Security questions? We have answers.
Contact our team for a detailed security review, custom BAA requirements, or compliance documentation.