HIPAA Compliant

HIPAA Compliance at MedSpa Oversight

MedSpa Oversight is built from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Protecting patient health information is central to everything we do.

Last updated: March 29, 2026

Our Commitment

MedSpa Oversight facilitates medical clearance consultations between clinics and licensed nurse practitioners via secure video. Because our platform handles Protected Health Information (PHI), we maintain comprehensive administrative, physical, and technical safeguards in accordance with HIPAA regulations.

We regularly review and update our security practices to align with evolving regulatory requirements and industry best practices.

Encrypted Video Consultations

All video consultations conducted through MedSpa Oversight are protected with end-to-end encryption. Video streams are encrypted in transit using TLS 1.2 or higher, ensuring that consultation content cannot be intercepted or accessed by unauthorized parties.

  • TLS 1.2+ encryption for all video streams
  • No recording or storage of video content
  • HIPAA-compliant video infrastructure partners

Encrypted Data at Rest

All patient data and PHI stored within MedSpa Oversight's systems is encrypted at rest using AES-256 encryption. This includes patient records, clearance letters, consultation metadata, and any associated documentation.

  • AES-256 encryption for all stored data
  • Encrypted database backups
  • Secure key management practices

Comprehensive Audit Logging

MedSpa Oversight maintains detailed audit logs of all system activity involving PHI. These logs are immutable, timestamped, and retained in accordance with HIPAA requirements. Audit logs include user access events, data modifications, consultation records, and administrative actions.

  • Immutable, timestamped audit records
  • Tracks all access to PHI
  • Retained per HIPAA retention requirements

Business Associate Agreements

MedSpa Oversight executes Business Associate Agreements (BAAs) with all covered entities that use our platform. We also maintain BAAs with our own subcontractors and service providers who may have access to PHI. BAAs are available upon request during account setup or at any time by contacting our compliance team.

PHI Handling

MedSpa Oversight collects and processes only the minimum necessary PHI required to facilitate medical clearance consultations. We follow the HIPAA Minimum Necessary Standard to limit the use and disclosure of PHI to what is reasonably needed.

  • Minimum necessary standard enforced
  • PHI used only for clearance consultations
  • No sale or unauthorized sharing of PHI

Access Controls

MedSpa Oversight implements role-based access controls (RBAC) to ensure that users can only access the data and features appropriate to their role. Authentication is enforced for all platform access, and session management follows security best practices.

  • Role-based access controls (clinic, NP, admin)
  • Secure authentication and session management
  • Automatic session timeout for inactive users
  • Employee access limited on a need-to-know basis

Questions About Our Compliance Program?

Our compliance team is available to discuss our security practices, provide documentation, or arrange a BAA.

Contact Compliance Team