Compliance & security

Regulatory posture

Plya Med is designed to operate as a HIPAA-compliant healthcare technology provider for U.S. medical practices. We align our administrative, technical, and physical safeguards with three frameworks:

• HIPAA — Full compliance with the Health Insurance Portability and Accountability Act, including the Privacy, Security, and Breach Notification Rules.
• HITECH — Compliance with the Health Information Technology for Economic and Clinical Health Act, including Business Associate provisions and breach-notification requirements.
• SOC 2 — Infrastructure is hosted on SOC 2 Type II audited cloud services (Google Cloud Platform).

Encryption

• AES-256 encryption for data at rest
• TLS 1.2+ for data in transit
• Encrypted database backups
• Field-level encryption for sensitive PHI elements

Audit logging

• Complete access audit trail for every PHI read and write
• User, timestamp, action, and resource recorded for each event
• IP address tracking on authenticated sessions
• Immutable audit records — append-only, never edited or deleted

Access controls

• Role-based access control (RBAC) enforced server-side
• Unique user identification — no shared accounts
• Principle of least privilege applied to every role
• Multi-factor authentication available, and required for accounts that access PHI

Session management

• 15-minute idle-session timeout on PHI-accessing sessions
• Automatic logout on inactivity
• Session activity monitoring and concurrent-session limits

Authentication

• Password policies enforced (length, complexity, rotation)
• Password history retained (12 previous) to block reuse
• Account lockout after repeated failed attempts
• MFA support available for all users

Infrastructure

• Hosted on Google Cloud Platform HIPAA-eligible services, under a signed BAA
• Regular security patching and dependency updates
• Automated vulnerability scanning of application and images
• Periodic penetration testing

Business Associate Agreements

Plya Med maintains a signed Business Associate Agreement (BAA) with every third-party vendor whose service may handle PHI on our behalf. Current vendors with active BAAs include:

• Google Cloud Platform — cloud infrastructure and storage
• Daily.co — HIPAA-eligible video for telehealth visits
• SendGrid (Twilio) — transactional email
• Twilio — transactional SMS (order notifications and account security codes)
• Anthropic — AI documentation assistance

When evaluating any new vendor, an executed BAA is a prerequisite before they receive access to PHI.

Data retention

• 7-year minimum retention for medical records, per Minnesota state requirements (and at the direction of the covered entity that owns the data).
• Immutable audit logs — audit records cannot be modified or deleted, including by administrators.
• Secure deletion — cryptographic erasure of keys on documented data-deletion requests, consistent with HIPAA retention obligations.

Reporting concerns

Security or compliance concerns can be reported to security@plyamed.com. Suspected breaches are reported to the affected covered entity per the executed BAA and applicable law.

For documentation requests (BAA template, security questionnaire responses, SOC 2 letter), contact joshua@eloramedical.net.