Security & Compliance at HeyMedicaid

Protecting your health information is our highest priority. HeyMedicaid employs industry-leading security measures, continuous monitoring, and comprehensive compliance frameworks to ensure your data remains safe and private.

Zero Trust Architecture: HeyMedicaid operates on a zero-trust security model. Every request is verified, every access is logged, and every transaction is encrypted. We assume breach and design our systems to protect your data even if one layer is compromised.

1. Security Infrastructure

Encryption Everywhere

AES-256 encryption at rest
TLS 1.3 for all communications
End-to-end encryption for PHI
Hardware security modules (HSM)

Identity & Access

Multi-factor authentication (MFA)
Biometric authentication support
Role-based access control (RBAC)
Session management & timeouts

Cloud Security

AWS HIPAA-eligible services
Virtual private cloud (VPC)
Network segmentation
DDoS protection

Monitoring & Detection

24/7 Security Operations Center
Real-time threat detection
Anomaly detection AI
Comprehensive audit logging

Data Protection

Data loss prevention (DLP)
Automated backups
Disaster recovery plan
Data residency controls

Application Security

Secure SDLC practices
Regular penetration testing
Static & dynamic analysis
Dependency scanning

2. Compliance Frameworks

HIPAA Compliance

Fully Compliant

Complete adherence to HIPAA Privacy, Security, and Breach Notification Rules. Annual risk assessments and continuous monitoring ensure ongoing compliance.

SOC 2 Type I

In Process

Currently undergoing SOC 2 Type I certification. Expected completion Q2 2025. Demonstrating security, availability, and confidentiality controls.

State Privacy Laws

Compliant

Full compliance with CCPA/CPRA, VCDPA, CPA, and other state privacy regulations. Regular updates to maintain compliance with evolving laws.

ISO 27001

Planned 2025

Implementing ISO 27001 information security management system. Target certification Q4 2025 for international standards compliance.

3. Ongoing Security Practices

Incident Response

24/7 incident response team with defined escalation procedures. Average detection time under 15 minutes, containment within 1 hour. Mandatory breach notification within regulatory timeframes.

95% of incidents resolved within SLA

Vulnerability Management

Monthly penetration testing, quarterly security assessments, and continuous vulnerability scanning. Critical patches applied within 24 hours, high-priority within 72 hours.

100% critical vulnerabilities patched within SLA

Employee Security Training

Mandatory security training for all employees upon hiring and annually thereafter. Specialized HIPAA training for those handling PHI. Simulated phishing exercises monthly.

98% employee training completion rate

4. Physical & Data Center Security

HeyMedicaid leverages AWS HIPAA-eligible data centers with SOC 1/2/3, ISO 27001, and FedRAMP certifications. Multiple availability zones ensure 99.99% uptime SLA.

Biometric Access

Multi-factor authentication

24/7 Surveillance

Security personnel on-site

Redundant Power

N+1 power redundancy

Geo-Redundancy

Multi-region backups

Security Questions or Concerns?

Security Team

HeyMedicaid Security Operations
PO Box 1234
San Francisco, CA 94102

Report Security Issues

Security Incidents: security@heymedicaid.com
24/7 Hotline: 1-800-SEC-RITY
Bug Bounty: bugbounty@heymedicaid.com
Compliance: compliance@heymedicaid.com

Report a Security Vulnerability: If you discover a security vulnerability, please report it immediately to security@heymedicaid.com. We offer a responsible disclosure program with rewards for valid security findings. Do not publicly disclose vulnerabilities until we've had a chance to address them.