Compliance & Security

Last updated: March 2026

HIPAA Compliance

Medical Coding Online is designed with HIPAA (Health Insurance Portability and Accountability Act) awareness to protect sensitive patient health information:

  • No Permanent PHI Storage: Clinical notes are processed in-memory and immediately discarded after code generation. We do not log, store, or retain any protected health information.
  • Encrypted Transmission: All data is transmitted over HTTPS (TLS 1.3) with end-to-end encryption.
  • De-identification Recommended: We strongly recommend removing patient names, dates of birth, Social Security numbers, and other identifiers before submitting notes.
  • Business Associate Agreements: Available for Pro, Plus Pro, and Unlimited plan customers upon request.
  • Access Controls: Role-based access controls for team accounts (Enterprise plans).

CMS & Medicare Compliance

Our AI medical coding platform aligns with Centers for Medicare & Medicaid Services (CMS) coding guidelines:

  • ICD-10-CM Guidelines: Updated annually (October 1) to reflect official ICD-10-CM coding guidelines published by CMS and NCHS.
  • CPT Code Updates: Quarterly updates to reflect American Medical Association (AMA) CPT code changes.
  • NCCI Edits: National Correct Coding Initiative (NCCI) edit detection to prevent improper code combinations.
  • LCD/NCD Coverage: Local and National Coverage Determination alerts for common procedures (Enterprise plans).
  • Human Oversight Required: CMS requires licensed medical coders to review and approve all codes before Medicare/Medicaid claim submission. Our AI assists coders but does not replace them.

Data Security & Privacy

We implement industry-standard security practices to protect user data:

  • Infrastructure Security: Hosted on Vercel and Supabase with SOC 2 Type II compliance.
  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.3).
  • AI Provider: Clinical notes sent to Anthropic (Claude API) for processing. Anthropic does not train models on customer data and provides enterprise-grade privacy protections.
  • Session Security: Notes are only retained in memory during active session processing (2-5 seconds), then permanently deleted.
  • Rate Limiting: IP-based rate limiting prevents abuse and protects system integrity.
  • Audit Logs: Available for Enterprise plans to track code generation activity.

State Licensing & Regulatory Recognition

Medical Coding Online is a software tool designed to assist certified medical coders and healthcare professionals. The platform does not perform medical coding as a service and does not require state licensing. Users are responsible for ensuring their use of the tool complies with state-specific regulations governing medical coding, billing, and telehealth services in their jurisdiction.

Professional Standards & Ethical Use

We support industry best practices established by professional organizations:

  • AHIMA Standards: Aligned with American Health Information Management Association (AHIMA) coding ethics and quality standards.
  • AAPC Guidelines: Follows American Academy of Professional Coders (AAPC) principles for accurate code assignment.
  • Upcoding Prevention: Confidence scores flag potentially over-coded services for human review.
  • Documentation Support: Each code includes rationale citing specific documentation, creating an audit trail.
  • No Automated Claim Submission: The platform generates code suggestions only. Users must review, approve, and manually submit claims through their practice management system.

Security Certifications & Audits

Our infrastructure providers maintain the following certifications:

  • SOC 2 Type II (Vercel, Supabase)
  • ISO 27001 Information Security Management
  • GDPR Compliance (European data protection)
  • CCPA Compliance (California Consumer Privacy Act)

Annual third-party security audits are conducted for Enterprise plans. Contact support@medicalcoding.online for audit reports.

Data Handling Policy

How we handle your data:

  • Clinical Notes: Processed in-memory, never stored permanently. Sent to Anthropic API for AI analysis, then discarded.
  • Usage Metadata: IP address and generation count stored for 30 days for rate limiting (Free plan). Account-based usage tracking for paid plans.
  • Generated Codes: Not retained by our servers. Users can download results as CSV/PDF for their own records.
  • Account Data: Email, name, and billing information (paid plans only) stored securely and never shared with third parties.
  • No Marketing Use: We do not use clinical notes or generated codes for marketing, advertising, or AI model training.

Incident Response & Breach Notification

In the unlikely event of a data security incident, we will notify affected users within 72 hours via email and provide details about the nature of the breach, data affected, and remediation steps taken. For HIPAA-covered entities with Business Associate Agreements, we will follow HIPAA Breach Notification Rule timelines.

Questions About Compliance?

For compliance-related questions, Business Associate Agreement requests, or security documentation, contact our compliance team at compliance@medicalcoding.online or general support at support@medicalcoding.online.