Security
Medi handles PHI for billing companies and the practices they bill for. This page states the controls plainly, including the certifications we have not earned yet. A buyer reviewing Medi should be able to verify the posture without a demo.
Plain boundary
We sign a Business Associate Agreement before any production PHI workflow goes live. We do not claim SOC 2 or HITRUST certification because we are not yet certified (SOC 2 Type II is on the roadmap, but not earned yet). Medi is reviewable through contractual BAA, documented controls, audit logging, and implementation due diligence.
Controls
Concrete controls your IT team or compliance reviewer can map to HIPAA Security Rule technical safeguards (§164.312). The list is what Medi actually does, not what a certification badge would imply.
Auth.js sessions, billing-company account context, role checks, and practice-access checks happen server-side. Public marketing pages never stand in for application authorization, and there is no client-side bypass for permission failures.
Every workspace is organized around client practices. Users only reach the practice, provider, claim, payment, and report surfaces their role and account access allow. Restricting an offshore biller to four of eight clients is native, not a workaround.
PHI access is logged in the application with user identity, tenant ID, timestamp, and action. Audit logs are retained for seven years, in line with HIPAA Security Rule §164.312(b) audit controls. Sensitive identifiers (SSN, MRN) are encrypted at rest.
HTTPS is enforced in production with HSTS, frame protection, strict referrer handling, and a content security policy tuned for the public site and authenticated app. TLS 1.2 minimum, TLS 1.3 preferred.
Review packet
The shape of a buyer-side security review for a billing company, owner, or IT reviewer before production work starts.
We sign a BAA before any PHI workflow goes live. The implementation review documents where the production boundary is and what your team needs to confirm before crossing it.
Server-side session checks (Auth.js), role-based authorization, practice-scoped access guards, and audit logging covering PHI reads and writes. Documented enough for an IT reviewer to verify the controls without a demo.
Pre-certification: SOC 2 Type II and HITRUST are on the roadmap but have not been earned yet. Medi is reviewable through contractual BAA, documented controls, audit logging, and the implementation due-diligence process — not through certification badges we cannot show.
Documented list of hosting infrastructure, clearinghouse (Stedi), and data processors. Available during implementation review for teams that need formal IT sign-off before go-live.
Implementation review
