Privacy and Security

MedPilot is committed to helping our clients and partners remain fully compliant with the requirements of HIPAA, PCI, and the TCPA regulations.  We ensure the highest standards of integrity and best practices to maintain confidentiality regarding patient data.

100% HIPAA Compliance

Innovation in healthcare requires trust.  Assuring the privacy and security of your patients' data is at the core of our mission.

MedPilot is fully compliant with the HIPAA/HITECH regulations, as updated by the Omnibus Rule.

Continuous Assurance

We approach compliance, like security, as a continuous cycle.  Our NIST SP 800-30 Rev 1 risk assessment drives our organizational policies and procedures, which in turn drive our training cycle.  We use operational feedback to continuously refine and improve our risk posture.

All of our operational security metrics are monitored continuously by our deployment provider, Aptible.  Our compliance status is available in real time, 24/7.

Attention to Detail

All traffic is encrypted in transit with SSL/TLS.  All data is encrypted at rest with full key/data segregation.  We use only FIPS 140-2 validated cryptographic modules.

All data access is restricted to approved employees based on job function.  All access is logged and stored for auditing and anomaly detection.

Our hosting provider is regularly audited against the SSAE 16 and ISO 27001 frameworks.

All services are hosted within a private sub-net, addressable only through a white-listed gateway.

Per our Security Policy, we continually review our code for OWASP, CVE, and NVD-reported vulnerabilities.

All data is stored exclusively in one of three data centers in Ashburn, VA.  Nightly back-ups are made to a data center in Hayward, CA.

Telephone Consumer Protection Act (TCPA)

The Telephone Consumer Protection Act (TCPA) is a federal law that regulates how consumers can be contacted by telephone, test message, and fax.  The TCPA regulations apply to the messages providers are able to send through the MedPilot Platform to communicate with patients.  To simplify adherence to these regulations, we have built our platform to fully support compliance with the TCPA.

By law, patients must have a clear ability to opt-in to receive digital messages, and maintain an easy ability to opt-out of receiving future communications.  MedPilot makes this simple in its design.

We have created customizable, turnkey legal templates for healthcare providers to implement in their Terms of Service starting at patient registration, to obtain proper legal consent from patients to receive digital messages.