Compliance

HIPAA Compliance
Documentation

How Meridian satisfies HIPAA Security Rule requirements for protected health information processed through our licensing infrastructure.

Administrative Safeguards

Security Management Process — documented risk analysis updated quarterly; risk management plan with remediation timelines.
Assigned Security Responsibility — designated Security Officer with direct board reporting line.
Workforce Training — annual HIPAA training with attestation; role-based access refreshers every 90 days.

Physical Safeguards

Facility Access Controls — SOC 2 Type II colocation; biometric + badge multi-factor entry logging.
Workstation Security — full-disk encryption on all administrative endpoints; automatic screen lock at 5 minutes.

Technical Safeguards

Access Control — unique user IDs, automatic logoff after 15 minutes, emergency access procedure documented.
Audit Controls — all PHI access logged with immutable append-only storage; 6-year retention minimum.
Integrity Controls — Ed25519-signed payloads; HMAC verification on all license tokens and cached authorizations.
Transmission Security — TLS 1.3 exclusively; ChaCha20-Poly1305 for all data-at-rest encryption of PHI.

Breach Notification

Meridian maintains a 72-hour breach notification window per the HITECH Act. Affected parties and HHS are notified via documented procedures tested semi-annually with tabletop exercises.

Full Business Associate Agreement available upon request.
Contact compliance team →