Compliance

Built for the rules that govern PI referrals.

MediLink handles protected health information and case data. We treat compliance as a baseline requirement, not an afterthought.

Last updated: May 19, 2026

HIPAAAdministrative, physical, and technical safeguards across the platform.
SOC 2 Type IIIndependent audit of security, availability, and confidentiality controls.
BAA availableBusiness Associate Agreement signed with every clinic and firm at onboarding.
State licensingProvider credentials verified against NPI, state license, and malpractice records.

HIPAA

MediLink is a covered entity's business associate when it processes protected health information (PHI) on behalf of medical providers and law firms. We maintain administrative, physical, and technical safeguards consistent with the HIPAA Privacy and Security Rules, including:

  • Access controls with role-based permissions and least-privilege defaults
  • Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
  • Audit logging on all PHI access, with tamper-evident retention
  • Workforce training on HIPAA and incident response
  • Documented breach notification procedures consistent with 45 CFR §164.400

We sign a Business Associate Agreement (BAA) with every clinic, firm, and downstream subcontractor that touches PHI. A standard BAA is provided during onboarding and can be reviewed in advance on request.

SOC 2

MediLink's infrastructure is audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Our most recent report is available under NDA to current and prospective customers — request a copy from your account team or security@medilink.vip.

Data security

  • Hosted on SOC 2-certified U.S. cloud infrastructure
  • Multi-factor authentication required for all staff and admin accounts
  • Production access restricted to a small, audited group of engineers
  • Continuous vulnerability scanning and periodic third-party penetration testing
  • Backups encrypted and geographically replicated; documented recovery objectives

Provider verification

Before a clinic is matched with referrals, we verify:

  • National Provider Identifier (NPI) and provider taxonomy
  • State medical license status with the applicable licensing board
  • Active malpractice coverage with sufficient limits
  • Sanction screening against OIG-LEIE and SAM exclusion lists

State law & PI-specific rules

Personal injury referrals are governed by overlapping state rules — including fee-splitting, anti-kickback, and physician self-referral restrictions. MediLink's operating model is designed so that attorneys and clinics each contract directly with MediLink for software and verification services, not for case-by-case referral payments. Availability and pricing of certain features may vary by state.

MediLink does not provide legal advice. Each user is responsible for confirming that its use of the platform complies with the bar rules and medical practice regulations of the jurisdictions in which it operates.

Reporting a security issue

If you believe you've found a security vulnerability or a privacy incident affecting MediLink, please email security@medilink.vip. We acknowledge reports within one business day and respond on a coordinated-disclosure basis.