Built for Healthcare Security

HIPAA Compliance

MedConvo follows HIPAA compliance guidelines and security best practices to protect Protected Health Information (PHI). Our platform implements the technical, administrative, and physical safeguards required under the HIPAA Security Rule.

• Encryption of PHI at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls and audit logging
• Automatic session timeouts and secure authentication
• No audio recordings stored — audio is discarded immediately after processing
• Patient data is never sold, shared, or used for AI training without consent

Business Associate Agreement (BAA)

As a Business Associate under HIPAA, MedConvo is prepared to sign a Business Associate Agreement (BAA) with covered entities and other business associates that require one. A BAA is available on Solo Practice and Group Practice plans.

To request a BAA or learn more about our compliance documentation, contact us at [email protected].

Data Security Practices

• All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• PHI stored at rest is encrypted using AES-256
• Audio recordings are processed in real time and immediately discarded — we do not store or retain any audio
• Access to patient data is restricted to authorized personnel only, with full audit trails
• Subprocessors and infrastructure providers are carefully vetted for HIPAA compliance
• Regular security reviews and vulnerability assessments

SOC 2 Certification (In Progress)

MedConvo is actively working towards SOC 2 Type II certification. We are implementing the controls and processes required for formal audit and certification. If your organization requires SOC 2 documentation as part of your vendor assessment, please contact us to discuss our current security posture and timeline.