How MedSightAI Meets HIPAA Requirements (on Microsoft Azure)
What we do.
MedSightAI transcribes clinician–patient conversations using Azure AI
Speech, generates structured notes with the Azure OpenAI Service, and
delivers them securely to the care team through our Azure-hosted
application and APIs. Because we process protected health information
(PHI), we implement safeguards required by the HIPAA Security
Rule (administrative, technical, physical), adhere to the Privacy
Rule’s minimum necessary standard, and maintain breach-response
procedures under the Breach Notification Rule**.**
Shared Responsibility & BAA
MedSightAI operates on Microsoft Azure services that support HIPAA compliance under a Business Associate Agreement (BAA) with Microsoft. In this shared responsibility model**:**
-
Azure provides secure, compliant infrastructure controls (facilities, physical protections, core cloud services).
-
MedSightAI configures and manages application-level and organizational controls (access, logging, policies, training, incident response).
Safeguard Summary
Administrative Safeguards
-
Risk management: Periodic HIPAA risk analyses, risk register maintenance, and remediation tracking.
-
Policies & training: Workforce HIPAA training, role-based access, sanctions for violations, vendor reviews, and change management.
-
Audit & monitoring: Access log reviews, configuration baselines, security alert monitoring; documented incident response and breach notification procedures.
-
Business continuity: Tested backup/restore, disaster recovery runbooks, and emergency-mode operations.
Technical Safeguards
-
Identity & access: Microsoft Entra ID (Azure AD), RBAC, MFA, least-privilege roles, just-in-time elevation.
-
Network protection: Azure Virtual Networks, NSGs, Private Link/Endpoints to keep PaaS traffic off the public internet; egress restrictions.
-
Encryption: TLS 1.2+ in transit; AES-256 at rest; secrets/keys in Azure Key Vault with rotation, soft-delete, and purge protection (CMK available).
-
Logging & audit trails: Centralized via Azure Monitor/Defender; immutable log storage and retention aligned with evidentiary requirements.
-
Data handling: PHI confined to MedSightAI’s Azure tenant. Azure OpenAI prompts/outputs remain within the Azure boundary and are not used for model training. Minimum-necessary data capture and retention enforced.
Physical Safeguards
- Facilities & devices: Azure data center controls (badging, surveillance, environmental protections). MedSightAI-managed endpoints use asset management, full-disk encryption, and enforced lock/timeout policies.
Service Data Flows (High Level)
-
Audio ingestion → Azure AI Speech (STT) in MedSightAI’s tenant.
-
Transcripts → Azure OpenAI Service for note generation within designated Azure region(s).
-
Storage & delivery → Encrypted databases and APIs (Azure SQL/Blob) via private networking and RBAC.
-
Observability → Centralized monitoring and alerts feeding incident response.
Evidence Available to Customers
-
HIPAA risk analysis and risk register
-
Security policies, standards, and training records
-
Data-flow diagrams and asset inventories
-
Access control matrices and sample access reviews
-
Logging/monitoring configurations and sample audit logs
-
Backup/DR test results and incident-response runbooks
-
Microsoft BAA confirmation and in-scope Azure services
External Audits & Customer Assurance
-
Current state: MedSightAI runs an internal HIPAA compliance program and self-assesses against HIPAA requirements.
-
Customer assurance: We provide documented evidence (above) during security reviews and due diligence.
-
Roadmap: Prepared to engage independent auditors (HIPAA/HITRUST mapping or SOC 2 Type II with HIPAA criteria) when required by customers or market demand.
Appendix: HIPAA Security Rule – MedSightAI Control Mapping
Safeguard Implementation HIPAA Type MedSightAI Control Category Specification
Administrative Security Management Required Periodic HIPAA risk Process (Risk analyses, maintained risk Analysis & Risk register, remediation Management) tracking.
Sanction Policy Required Documented sanctions for
HIPAA violations.
Information System Required Access log reviews,
Activity Review security alerts, baseline
configuration checks,
centralized monitoring.
Assigned Security Required Designated Security Officer
Responsibility overseeing HIPAA program.
Workforce Security Addressable Role-based access, HR
(Authorization, onboarding/offboarding
Supervision, controls.
Termination)
Information Access Required RBAC in Azure AD, least
Management privilege, periodic access
reviews.
Security Awareness & Required Workforce HIPAA/privacy
Training training, phishing
simulations, refresher
courses.
Security Incident Required Documented incident
Procedures response plan with breach
notification procedures.
Contingency Plan Required Tested backup/restore, DR
(Backup, DR, runbooks, emergency-mode
Emergency Mode, operations tested annually.
Testing)
Evaluation Required Annual HIPAA security
self-assessment and
readiness reviews.
Business Associate Required BAA with Microsoft for
Contracts Azure services; vendor
reviews for other third
parties.
Physical Facility Access Required Azure data center Controls protections (badging, surveillance, environmental safeguards).
Workstation Use Required Policies for workforce
devices, screen-lock,
no-PHI-on-personal-device
enforcement.
Workstation Security Addressable Asset inventory, disk
encryption, endpoint
management (MDM).
Device & Media Required Asset tracking, secure
Controls disposal process, encrypted
backups.
Technical Access Control Required Entra ID unique logins, JIT (Unique ID, elevation, auto-lock Emergency Access, policies, AES-256 at rest, Auto Logoff, TLS 1.2+ in transit. Encryption)
Audit Controls Required Centralized logs in Azure
Monitor/Defender, immutable
storage, retention for
evidentiary needs.
Integrity Addressable Hashing & checksums in
storage, change monitoring
via Defender.
Person/Entity Required MFA, SSO with Entra ID.
Authentication
Transmission Required TLS 1.2+/1.3 enforced;
Security private endpoints/Private
Link for internal traffic.