Is Medipyxis HIPAA Compliant? Security, BAAs, and Data Protection
Medipyxis HIPAA compliance — encryption, access controls, BAA coverage, audit logging, and the security architecture that protects patient data in mobile wound care.
Damon Ebanks
Medipyxis
Is Medipyxis HIPAA Compliant?
Yes. Medipyxis is built with HIPAA compliance as a baseline requirement of the platform, not an add-on tier or a paid upgrade. Every account, every plan, every feature operates under the same security controls. In wound care, where clinicians photograph patient wounds, transmit clinical data from the field, and share records across care teams, HIPAA compliance is not a feature — it is the minimum standard for handling patient information responsibly.
Here is how Medipyxis meets each of the major HIPAA security requirements.
Encryption at Rest and in Transit
All protected health information stored in Medipyxis is encrypted at rest using AES-256 encryption. Data in transit between the clinician's device and Medipyxis servers is encrypted via TLS 1.2 or higher. This applies to every data type the platform handles: wound photographs, visit notes, billing records, patient demographics, and clinical attachments.
Encryption covers the full data lifecycle. Patient wound photos taken on a mobile device are encrypted before they leave the device. They remain encrypted during transmission and while stored on the server. When a clinician pulls up a patient record in the field, the decrypted data is only available within the authenticated session.
Role-Based Access Controls
Not everyone in a wound care practice needs access to everything. A biller needs charge data and claim status. A clinician needs clinical records for their assigned patients. An administrator needs practice-wide reporting. Medipyxis enforces role-based access controls that limit each user to the data their role requires.
Access is scoped at the facility level. A clinician working across multiple facilities sees only the patients and records associated with their assigned locations. Administrative users see what their role and facility assignment permits. These controls are enforced server-side — they cannot be bypassed by modifying the application on the device.
Audit Logging
HIPAA requires covered entities to track who accessed what, when, and from where. Medipyxis maintains detailed audit logs for all access to protected health information. Every record view, edit, and export is logged with the user identity, timestamp, and action performed.
These logs serve two purposes. Operationally, they let practice administrators monitor access patterns and investigate any anomalies — a user accessing records outside their normal patient panel, an unusual volume of record exports, or access attempts from unfamiliar locations. From a compliance standpoint, the audit trail provides the documentation required during a HIPAA investigation or breach assessment.
Business Associate Agreements
Under HIPAA, any entity that handles PHI on behalf of a covered entity must execute a Business Associate Agreement. Medipyxis provides BAA coverage for all PHI processing performed on the platform. This covers data storage, data transmission, backup, and any system operations that touch patient information.
BAA coverage extends through the infrastructure chain. The cloud infrastructure providers, database services, and third-party integrations that Medipyxis relies on are each covered by their own BAAs, creating an unbroken chain of contractual accountability from the clinician's device to the data center.
Secure Messaging
PHI does not belong in regular email or SMS. Clinicians coordinating wound care across facilities, communicating with referral sources, or following up with patients need a communication channel that meets HIPAA security requirements. Medipyxis handles patient-related communication within the platform's secure environment, keeping PHI out of unencrypted channels where it cannot be controlled or audited.
This is particularly important for mobile wound care, where clinicians are working across SNFs, assisted living facilities, and patient homes. The temptation to text a wound photo to a colleague or email a progress note to a referring physician is a HIPAA violation waiting to happen. The platform provides the secure alternative.
Device Security for Mobile Wound Care
Mobile wound care creates device security challenges that office-based practices don't face. Clinicians carry devices containing patient data into the field. Those devices can be lost, stolen, or left in a vehicle. Medipyxis addresses this with multiple layers of device-level protection.
Encrypted local storage. When clinicians work in areas with limited connectivity, patient data cached on the device is encrypted. If the device is lost or stolen, the data is not accessible without proper authentication.
Session management. Inactive sessions time out automatically. A device left unattended at a facility desk does not remain logged into patient records indefinitely.
Remote wipe capability. If a device is lost or compromised, patient data stored locally can be wiped remotely without requiring physical access to the device.
Data Governance
HIPAA does not just regulate how data is protected while in use. It governs the full lifecycle — how long data is retained, how it is disposed of, and who authorizes destruction.
Medipyxis enforces data retention policies consistent with HIPAA requirements and state medical record retention laws. When data reaches the end of its retention period, destruction follows documented procedures that ensure PHI cannot be recovered from decommissioned storage. Retention policies are configurable at the practice level to accommodate state-specific requirements that may exceed the HIPAA minimum.
Incident Response
No security architecture eliminates risk entirely. What matters is the response plan when something goes wrong. Medipyxis maintains a documented incident response plan that covers breach detection, containment, notification, and remediation.
The incident response plan follows the HIPAA Breach Notification Rule requirements: assessment of the nature and extent of any breach, identification of affected individuals, notification within the required timelines, and mitigation of harm. Practices using Medipyxis are notified promptly when any security event affects their data, with clear information about what happened, what data was involved, and what steps are being taken.
Regular Security Assessments
HIPAA requires covered entities and their business associates to conduct regular risk assessments. Medipyxis undergoes periodic security assessments that evaluate the effectiveness of administrative, physical, and technical safeguards.
These assessments cover vulnerability scanning, access control reviews, encryption validation, and incident response readiness. Findings are remediated on a defined timeline based on severity. The assessment cycle is ongoing — security is not a one-time certification but a continuous practice.
Security as Table Stakes
HIPAA compliance is not a competitive differentiator. It is a legal obligation for any platform that handles patient health information. Medipyxis treats it accordingly — security controls are built into the platform architecture, not bolted on as an aftermarket feature.
For a broader view of how compliance fits into wound care operations, see our guide to building a wound care compliance program. To see how these security controls work within the clinical and billing workflow, visit the platform overview.