Compliance

HIPAA Compliance

MedHook is designed from the ground up to support HIPAA-compliant healthcare data integration. Our self-hosted architecture keeps PHI within your infrastructure.

Your PHI never leaves your infrastructure

The MedHook Engine is self-hosted on infrastructure you own and control. Healthcare data, patient records, and clinical payloads are processed entirely within your network. MedHook receives only aggregate usage counters (workflow counts, credit consumption) — never the data itself.

HIPAA Safeguards

Technical Safeguards

  • AES-256-GCM encryption for all credentials at rest
  • JWT authentication with short-lived tokens (2h expiry)
  • TLS in transit — enforced via HSTS on medhook.dev
  • Sandboxed JavaScript execution (isolated-vm)
  • SSRF protection blocking private network access

Audit Controls

  • Complete audit log of all CRUD operations
  • Actor identity, timestamp, and change details per event
  • Workflow execution history with status tracking
  • 90-day default retention (configurable for Enterprise)
  • Exportable audit records for compliance review

Access Controls

  • Role-Based Access Control (RBAC) at API and middleware layers
  • Admin role enforcement in both JWT claims and database
  • License key management — keys stored as SHA-256 hashes only
  • OAuth 2.0 provider integration for medhook.dev authentication
  • Session expiry and revocation controls

Physical & Organizational

  • Self-hosted model: PHI stays on your infrastructure
  • You control VPC, network boundaries, and storage policies
  • Docker Compose and Terraform deployment with configurable regions
  • No PHI ever transmitted to MedHook servers
  • Multi-cloud support: AWS, Azure, GCP, or on-premises

Business Associate Agreement (BAA)

Enterprise customers can execute a Business Associate Agreement (BAA) with 1PuttHealth LLC. A BAA is required when MedHook services are used in connection with covered healthcare operations.

Because MedHook is self-hosted and does not process PHI on our servers, many customers operate without a BAA. However, we are happy to execute one for Enterprise customers whose compliance programs require it.

Contact sales@medhook.dev to request a BAA or discuss Enterprise compliance requirements.

Questions about compliance?

Our team can walk you through the architecture and help you assess fit for your compliance program.

SecurityPrivacy PolicyTerms of Service