1. Our Commitment
MyMedAccess Inc. publishes the certifications, accreditations, and regulatory compliance attestations that govern our handling of your protected health information. This page is updated whenever an attestation is added, renewed, or superseded. Active users are notified via in-app announcement when new accreditations are received.
For a copy of any certificate, attestation letter, or signed Business Associate Agreement listed below, contact connect@mymedaccess.io.
2. Accreditations
Independent third-party accreditations of MyMedAccess as a consumer-facing health application:
CARIN Code of Conduct for Consumer-Facing Applications (CARIN-CFA)
In Progress- Issuing Organization
- DirectTrust
- Scope
- MyMedAccess consumer health record application (iOS, Android)
- Issued
- Submission in progress (May 2026)
- Expires
- Pending accreditation decision
Submission targeted for the May 2026 filing window in support of the CMS Health Tech Ecosystem launch. Decision expected following DirectTrust assessor review.
3. Regulatory Compliance Attestations
Self-attested compliance with the federal regulations governing personal health information in the United States:
HIPAA Privacy Rule
Active- Issuing Organization
- U.S. Department of Health & Human Services (45 C.F.R. Parts 160 and 164)
- Issued
- May 14, 2026
- Expires
- Continuous (re-attested with each material policy change)
Implementation documented in our Privacy & HIPAA Policy.
HIPAA Security Rule
Active- Issuing Organization
- U.S. Department of Health & Human Services (45 C.F.R. Part 164, Subpart C)
- Issued
- May 14, 2026
- Expires
- Continuous (re-attested with each material control change)
Administrative, physical, and technical safeguards documented in our engineering security specification.
HIPAA Breach Notification Rule
Active- Issuing Organization
- U.S. Department of Health & Human Services (45 C.F.R. Part 164, Subpart D)
- Issued
- May 14, 2026
- Expires
- Continuous
Notification timing and content requirements documented in §9 of our Privacy & HIPAA Policy.
HITECH Act
Active- Issuing Organization
- U.S. Congress (42 U.S.C. § 17931 et seq.)
- Issued
- May 14, 2026
- Expires
- Continuous
4. Infrastructure Vendor Attestations
The certifications below are held by our infrastructure providers rather than MyMedAccess directly. They support the hosting layer of our compliance posture. All listed vendors have executed Business Associate Agreements with MyMedAccess where required by HIPAA.
Amazon Web Services (Bedrock, S3, Textract, SES)
Active- Issuing Organization
- Amazon Web Services, Inc.
- Scope
- LLM inference, object storage, OCR, transactional email
- Issued
- See AWS Artifact
- Expires
- Continuous
AWS holds SOC 2 Type II, ISO 27001, and HIPAA-eligible service designations. MyMedAccess operates under a signed AWS Business Associate Addendum. AWS Bedrock provides zero data retention for our model invocations.
DigitalOcean App Platform
Active- Issuing Organization
- DigitalOcean, LLC
- Scope
- Application hosting, managed PostgreSQL
- Issued
- See DigitalOcean Trust Center
- Expires
- Continuous
DigitalOcean holds SOC 2 Type II and provides HIPAA-eligible infrastructure under a signed Business Associate Agreement.
Expo Application Services
Active- Issuing Organization
- 650 Industries, Inc.
- Scope
- Mobile build pipeline and push notification delivery
- Issued
- See Expo privacy documentation
- Expires
- Continuous
Push notification payloads contain no protected health information. Device push tokens are used solely for delivery of application notifications.
5. Independent Audits
MyMedAccess has not yet completed an independent third-party security audit. Internal forensic review of our compliance evidence has been completed in connection with the CARIN-CFA submission, with corrections incorporated into the published policies and engineering specifications.
A SOC 2 Type I readiness assessment is planned for Q1 2027, with a SOC 2 Type II audit window targeted for the following operational year. This page will be updated as those engagements are commissioned and completed.
6. How We Notify You of Changes
When a new accreditation is received, renewed, or expires, MyMedAccess updates this page within five (5) business days and sends an in-app announcement to all active users. Users may also subscribe to compliance updates by emailing connect@mymedaccess.io with the subject line "Compliance Updates".
7. Reporting a Concern
If you believe MyMedAccess has failed to meet any commitment listed on this page, please contact our Privacy & Compliance Officer:
Michael Ajay Mangra, Privacy & Compliance Officer
Email: connect@mymedaccess.io
MyMedAccess Inc. — 1050 NW 15th Street, Suite 201A, Boca Raton, FL 33486
You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr without retaliation.