HIPAA Compliance
MedRef is committed to maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) and supporting our customers' compliance requirements.
Important Note About PHI
MedRef provides access to public healthcare reference data (codes, descriptions, fee schedules, provider directories). Our API is designed for reference data lookup and does not process, store, or transmit Protected Health Information (PHI) or patient data.
Because we do not handle PHI, MedRef is not typically classified as a Business Associate under HIPAA for most use cases. However, we maintain HIPAA-compliant practices and offer BAAs for enterprise customers who require them.
Security Safeguards
We implement administrative, physical, and technical safeguards aligned with HIPAA Security Rule requirements.
Administrative Safeguards
- Designated Privacy and Security Officers
- Workforce security training and awareness programs
- Access management and authorization policies
- Incident response and breach notification procedures
- Regular risk assessments and security audits
Physical Safeguards
- SOC 2 Type II certified data centers
- Physical access controls and monitoring
- Environmental controls and disaster recovery
- Secure equipment disposal procedures
Technical Safeguards
- TLS 1.3 encryption for data in transit
- AES-256 encryption for data at rest
- Unique user identification and authentication
- Automatic session timeouts and lockouts
- Audit logging of all system access
Business Associate Agreements
For enterprise customers who require a Business Associate Agreement (BAA) as part of their compliance program, MedRef offers BAAs that cover our API services.
A BAA is included with all Enterprise plans and available as an add-on for Business plans. The BAA covers:
- Permitted uses and disclosures of PHI
- Required safeguards for protecting PHI
- Breach notification obligations
- Subcontractor requirements
- Return or destruction of PHI upon termination
Compliance Documentation
Enterprise customers can request our SOC 2 Type II report, penetration test results, and security questionnaire responses.
Request documentationCompliance Questions
Our compliance team is available to answer questions and support your HIPAA compliance requirements.
compliance@medref.ioNeed a BAA for your organization?
Contact our sales team to discuss your compliance requirements and get a BAA in place.
Contact Sales